CINXE.COM

<!DOCTYPE html><html lang="en" class="__className_943d4e"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" href="/_next/static/media/d3470cfc68a51edd-s.p.woff2" as="font" crossorigin="" type="font/woff2"/><link rel="stylesheet" href="/_next/static/css/425118351a398cbb.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/90d8e427ffb6abd2.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-7add37186d0ff440.js"/><script src="/_next/static/chunks/fd9d1056-482290aea9828141.js" async=""></script><script src="/_next/static/chunks/7023-337611230f8b70ed.js" async=""></script><script src="/_next/static/chunks/main-app-490330e0be22d2d6.js" async=""></script><script src="/_next/static/chunks/231-07416b1f957d0db7.js" async=""></script><script src="/_next/static/chunks/app/kb/%5B%5B...params%5D%5D/error-d79b6b3fc14d36f0.js" async=""></script><script src="/_next/static/chunks/app/layout-32e599393abf9240.js" async=""></script><script src="/_next/static/chunks/5828-bdbd767bd529f5f9.js" async=""></script><script src="/_next/static/chunks/6257-e637d432bc778e7a.js" async=""></script><script src="/_next/static/chunks/919-76fb265b32c91554.js" async=""></script><script src="/_next/static/chunks/app/kb/layout-fda2441131486605.js" async=""></script><script src="/_next/static/chunks/1850-dd5ed91b5253b88f.js" async=""></script><script src="/_next/static/chunks/app/kb/%5B%5B...params%5D%5D/page-4eefb0a22d44c126.js" async=""></script><meta name="theme-color" content="#fff"/><title>ACL syntax · Tailscale Docs</title><meta name="description" content="Reference syntax for the tailnet policy file."/><link rel="canonical" href="https://tailscale.com/kb/1337/acl-syntax"/><meta property="og:title" content="ACL syntax · Tailscale Docs"/><meta property="og:description" content="Reference syntax for the tailnet policy file."/><meta property="og:url" content="https://tailscale.com/kb/1337/acl-syntax"/><meta property="og:site_name" content="Tailscale"/><meta property="og:image" content="https://tailscale.com/files/images/og-image.png"/><meta property="og:type" content="article"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:creator" content="@tailscale"/><meta name="twitter:title" content="ACL syntax"/><meta name="twitter:description" content="Reference syntax for the tailnet policy file."/><meta name="twitter:image" content="https://tailscale.com/files/images/og-image.png"/><link rel="icon" href="/favicon.png" type="image/png"/><link rel="icon" href="/favicon.svg" type="image/svg+xml"/><meta name="next-size-adjust"/><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><header class="left-0 right-0 top-0 z-[100] h-[60px] transition-colors duration-300 lg:h-[66px] sticky bg-transparent"><div class="is-wide container flex items-center justify-between py-4 lg:py-3"><div class="flex gap-[35px]"><a class="w-[110px] transition-colors duration-200 text-heading-black" title="Homepage" href="/"><svg class="transition-colors duration-200 " width="100%" height="100%" viewBox="0 0 110 20" fill="none" xmlns="http://www.w3.org/2000/svg"><ellipse cx="2.44719" cy="10.1796" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse cx="9.79094" cy="10.1796" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="2.44719" cy="17.5077" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="17.1269" cy="17.5077" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse cx="9.79094" cy="17.5077" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse cx="17.1269" cy="10.1796" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="2.44719" cy="2.85924" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="9.79094" cy="2.85924" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="17.1269" cy="2.85924" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><path d="M34.3979 18.458C35.0907 18.458 35.6536 18.3933 36.3248 18.2637V15.7584C35.9134 15.9096 35.4588 15.9528 35.0258 15.9528C33.965 15.9528 33.5753 15.4344 33.5753 14.441V9.34402H36.3248V6.83875H33.5753V3.12403H30.5443V6.83875H28.5742V9.34402H30.5443V14.7217C30.5443 17.0974 31.8 18.458 34.3979 18.458Z" fill="#242424"></path><path d="M41.2747 18.458C42.8984 18.458 43.9809 17.9181 44.5222 17.0758C44.5655 17.443 44.6954 17.9397 44.8686 18.2421H47.5964C47.4449 17.7237 47.3366 16.903 47.3366 16.3631V10.4455C47.3366 8.005 45.583 6.62277 42.617 6.62277C40.3654 6.62277 38.6118 7.46507 37.6376 8.69611L39.3696 10.4023C40.149 9.5384 41.1448 9.08486 42.3572 9.08486C43.8294 9.08486 44.4789 9.58159 44.4789 10.3159C44.4789 10.9422 44.0459 11.3742 41.7077 11.3742C39.4562 11.3742 37.183 12.3028 37.183 14.8945C37.183 17.2918 38.9149 18.458 41.2747 18.458ZM41.8809 16.1687C40.7118 16.1687 40.1706 15.672 40.1706 14.7865C40.1706 14.009 40.8201 13.4907 41.9026 13.4907C43.6345 13.4907 44.1108 13.3827 44.4789 13.0155V13.9442C44.4789 15.1753 43.4397 16.1687 41.8809 16.1687Z" fill="#242424"></path><path d="M49.3069 5.39173H52.4677V2.5625H49.3069V5.39173ZM49.3718 18.2421H52.4028V6.83875H49.3718V18.2421Z" fill="#242424"></path><path d="M54.6109 18.2421H57.6418V2.90805H54.6109V18.2421Z" fill="#242424"></path><path d="M63.9416 18.458C67.2757 18.458 68.986 16.7087 68.986 14.8729C68.986 13.2099 68.1417 11.9789 65.3705 11.4821C63.4221 11.1366 62.2097 10.7046 62.2097 10.0351C62.2097 9.45201 62.9025 9.04166 64.0715 9.04166C65.1107 9.04166 65.9767 9.38722 66.6262 10.1431L68.553 8.52333C67.5788 7.31389 65.9767 6.62277 64.0715 6.62277C61.1489 6.62277 59.3303 8.17777 59.3303 10.0783C59.3303 12.1517 61.2354 13.0803 63.2922 13.4475C65.0025 13.7499 65.9551 14.0738 65.9551 14.8081C65.9551 15.4344 65.2839 15.9528 64.0066 15.9528C62.7509 15.9528 61.7767 15.3696 61.322 14.5058L58.7674 15.7152C59.3952 17.2702 61.5385 18.458 63.9416 18.458Z" fill="#242424"></path><path d="M75.7621 18.458C77.9271 18.458 79.4859 17.5942 80.6549 15.6504L78.2302 14.4194C77.7755 15.3265 77.0395 15.9528 75.7621 15.9528C73.8353 15.9528 72.7961 14.3978 72.7961 12.5188C72.7961 10.6399 73.9003 9.12805 75.7621 9.12805C76.9312 9.12805 77.7106 9.75437 78.1652 10.7046L80.6116 9.40882C79.7889 7.61625 78.1652 6.62277 75.7621 6.62277C71.8003 6.62277 69.7652 9.5168 69.7652 12.5188C69.7652 15.78 72.2333 18.458 75.7621 18.458Z" fill="#242424"></path><path d="M85.4829 18.458C87.1067 18.458 88.1891 17.9181 88.7304 17.0758C88.7737 17.443 88.9036 17.9397 89.0768 18.2421H91.8046C91.6531 17.7237 91.5448 16.903 91.5448 16.3631V10.4455C91.5448 8.005 89.7912 6.62277 86.8252 6.62277C84.5737 6.62277 82.8201 7.46507 81.8458 8.69611L83.5778 10.4023C84.3572 9.5384 85.353 9.08486 86.5654 9.08486C88.0376 9.08486 88.6871 9.58159 88.6871 10.3159C88.6871 10.9422 88.2541 11.3742 85.9159 11.3742C83.6644 11.3742 81.3912 12.3028 81.3912 14.8945C81.3912 17.2918 83.1231 18.458 85.4829 18.458ZM86.0891 16.1687C84.9201 16.1687 84.3788 15.672 84.3788 14.7865C84.3788 14.009 85.0283 13.4907 86.1108 13.4907C87.8427 13.4907 88.319 13.3827 88.6871 13.0155V13.9442C88.6871 15.1753 87.6479 16.1687 86.0891 16.1687Z" fill="#242424"></path><path d="M93.3263 18.2421H96.3573V2.90805H93.3263V18.2421Z" fill="#242424"></path><path d="M103.631 18.458C105.861 18.458 107.658 17.5726 108.654 15.996L106.359 14.5274C105.753 15.4776 104.952 15.996 103.631 15.996C102.138 15.996 101.055 15.1753 100.774 13.5771H109.39V12.5188C109.39 9.5168 107.55 6.62277 103.61 6.62277C99.8643 6.62277 97.8293 9.5384 97.8293 12.5404C97.8293 16.8167 101.055 18.458 103.631 18.458ZM100.882 11.2014C101.358 9.75437 102.354 9.08486 103.675 9.08486C105.168 9.08486 106.078 9.97034 106.381 11.2014H100.882Z" fill="#242424"></path></svg></a><nav class="relative hidden lg:flex lg:gap-6"><div class="fixed bottom-0 left-0 right-0 z-[90] h-screen w-full transition duration-200 pointer-events-none opacity-0 top-[120px] bg-transparent"></div><div role="button" aria-haspopup="true" tabindex="0" class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Product"}"><span>Product</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></div><div role="button" aria-haspopup="true" tabindex="0" class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Solutions"}"><span>Solutions</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></div><a class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Enterprise"}" href="/enterprise"><span>Enterprise</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></a><a class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Customers"}" href="/customers"><span>Customers</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></a><a class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Docs"}" href="/kb/1017/install"><span>Docs</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></a><a class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Blog"}" href="/blog"><span>Blog</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></a><a class="group relative text-[14px] font-medium leading-normal tracking-[-0.28px] transition-colors duration-300 text-heading-black/80 hover:text-heading-black/100" data-track="Link Clicked" data-track-properties="{"label": "Pricing"}" href="/pricing"><span>Pricing</span><div class="absolute bottom-[-6px] left-[25%] right-0 z-[100] flex h-[3px] w-[50%] items-center justify-center rounded-[5px] opacity-0 group-hover:opacity-100 bg-heading-black/80"></div></a></nav></div><div class="hidden lg:flex lg:items-center lg:gap-[25px]"><a class="t-14 font-medium opacity-80 transition-colors duration-300 text-heading-black/80 hover:text-black/100" data-track="Link Clicked" data-track-properties="{"label": "Download"}" href="/download">Download</a><a class="t-14 font-medium opacity-80 transition-colors duration-300 text-heading-black/80 hover:text-black/100" data-track="Link Clicked" data-track-properties="{"label": "Log in"}" href="https://login.tailscale.com/welcome">Log in</a><a data-track="Link Clicked" data-track-properties="{"label": Get started - it's free!}" href="https://login.tailscale.com/start"><div class="inline-flex shrink-0 border transition-colors duration-200 w-full xs:w-auto items-center justify-center text-center relative focus:outline-none group transition-all overflow-hidden font-body font-medium rounded-lg group gap-[11px] py-2 px-[17px] leading-[1.46] tracking-[-0.16px] transition-colors duration-300 bg-heading-black border-heading-black text-white hover:bg-black-4 hover:border-black-4 "><div>Get started - it's free!</div></div></a></div><button type="button" aria-label="Open Menu" class="flex lg:hidden"><svg width="55" height="30" viewBox="0 0 55 30" fill="none" xmlns="http://www.w3.org/2000/svg"><rect class="fill-black-4" x="0.5" y="0.5" width="54" height="29" rx="5.5"></rect><line class="origin-center transition duration-300 rotate-0" x1="17" y1="11.5" x2="38" y2="11.5" stroke="white"></line><line class="origin-center transition duration-300 rotate-0" x1="17" y1="17.5" x2="38" y2="17.5" stroke="white"></line><rect x="0.5" y="0.5" width="54" height="29" rx="5.5" stroke="#242424"></rect></svg></button></div></header><div class="fixed inset-0 z-[90] h-full w-full overflow-auto bg-white px-5 pb-20 pt-24 transition-opacity duration-200 will-change-[opacity] lg:hidden pointer-events-none opacity-0"><div class="space-y-[22px]"><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><div class="t-20 flex w-full items-center justify-between font-medium "><span>Product</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 rotate-90 bg-black-4 text-white"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></div><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><div class="t-14 relative z-[10] mb-2 text-[#706E6D] lg:mb-[15px] lg:ml-3">Meet Tailscale</div><ul><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "How it works"}" href="/blog/how-tailscale-works"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">How it works</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Why Tailscale"}" href="/why-tailscale"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Why Tailscale</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "WireGuard® for Enterprises"}" href="/wireguard-vpn"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">WireGuard® for Enterprises</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Bring Tailscale to Work"}" href="/bring-tailscale-to-work"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Bring Tailscale to Work</div></div></a></li></ul></div><div class="flex-1 lg:min-w-[266px]"><div class="t-14 relative z-[10] mb-2 text-[#706E6D] lg:mb-[15px] lg:ml-3">Explore</div><ul><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Integrations"}" href="/integrations"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Integrations</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Features"}" href="/features"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Features</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Compare Tailscale"}" href="/compare"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Compare Tailscale</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Partnerships"}" href="/partnerships"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Partnerships</div></div></a></li></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><div class="t-20 flex w-full items-center justify-between font-medium "><span>Solutions</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 rotate-90 bg-black-4 text-white"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></div><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><div class="t-14 relative z-[10] mb-2 text-[#706E6D] lg:mb-[15px] lg:ml-3">By use-case</div><ul><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Remote Access"}" href="/use-cases/remote-access"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Remote Access</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Site-to-site Networking"}" href="/use-cases/site-to-site-networking"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Site-to-site Networking</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Multi-Cloud Networking"}" href="/use-cases/multi-cloud-networking"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Multi-Cloud Networking</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Kubernetes Networking"}" href="/use-cases/kubernetes"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Kubernetes Networking</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Edge & IoT Deployments"}" href="/use-cases/iot"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Edge & IoT Deployments</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Zero Trust Networking"}" href="/use-cases/zero-trust-networking"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Zero Trust Networking</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "AI Workloads"}" href="/use-cases/ai"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">AI Workloads</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Secure SaaS"}" href="/use-cases/secure-saas"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Secure SaaS</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Business VPN"}" href="/use-cases/business-vpn"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Business VPN</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Homelab"}" href="/use-cases/homelab"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Homelab</div></div></a></li></ul></div><div class="flex-1 lg:min-w-[266px]"><div class="t-14 relative z-[10] mb-2 text-[#706E6D] lg:mb-[15px] lg:ml-3">By role</div><ul><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "DevOps"}" href="/solutions/devops"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">DevOps</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "IT"}" href="/solutions/it"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">IT</div></div></a></li><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Security"}" href="/solutions/security"><div class="flex items-center gap-2"><div class="t-16 relative z-[10] text-heading-black">Security</div></div></a></li></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><a class="t-20 flex w-full items-center justify-between font-medium " href="/enterprise"><span>Enterprise</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 -rotate-0 bg-grey-2"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></a><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><ul></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><a class="t-20 flex w-full items-center justify-between font-medium " href="/customers"><span>Customers</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 -rotate-0 bg-grey-2"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></a><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><div class="t-14 relative z-[10] mb-2 text-[#706E6D] lg:mb-[15px] lg:ml-3">Nav heading here</div><ul><li class="group relative whitespace-nowrap"><a class="relative z-[10] inline-block w-full rounded-lg px-1 py-2 hover:bg-[#F9F7F6] lg:p-[12px]" data-track="Link Clicked" data-track-properties="{"label": "Title here"}" href="https://tailscale.com/customers"><div class="flex items-center gap-2"><img alt="Alt text " loading="lazy" width="300" height="120" decoding="async" data-nimg="1" class="relative z-[10] brightness-100 saturate-100 transition duration-200 lg:brightness-[1.1] lg:saturate-0 lg:brightness-100 lg:saturate-100" style="color:transparent;background-size:cover;background-position:50% 50%;background-repeat:no-repeat;background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 300 120'%3E%3Cfilter id='b' color-interpolation-filters='sRGB'%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3CfeColorMatrix values='1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 100 -1' result='s'/%3E%3CfeFlood x='0' y='0' width='100%25' height='100%25'/%3E%3CfeComposite operator='out' in='s'/%3E%3CfeComposite in2='SourceGraphic'/%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3C/filter%3E%3Cimage width='100%25' height='100%25' x='0' y='0' preserveAspectRatio='none' style='filter: url(%23b);' href='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/wcAAwAB/ucNC4UAAAAASUVORK5CYII='/%3E%3C/svg%3E")" srcSet="https://cdn.sanity.io/images/w77i7m8x/production/a06dc612b1e3e4f4df53a72030002600639a8738-300x120.png?w=384&q=75&fit=clip&auto=format 1x, https://cdn.sanity.io/images/w77i7m8x/production/a06dc612b1e3e4f4df53a72030002600639a8738-300x120.png?w=640&q=75&fit=clip&auto=format 2x" src="https://cdn.sanity.io/images/w77i7m8x/production/a06dc612b1e3e4f4df53a72030002600639a8738-300x120.png?w=640&q=75&fit=clip&auto=format"/><div class="t-16 relative z-[10] text-heading-black">Title here</div></div><div class="t-14 relative z-[10] mt-1 line-clamp-2 !font-normal !leading-[1.28] text-heading-black/80">How Cribl Enables Secure Work From Anywhere with Tailscale</div></a></li></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><a class="t-20 flex w-full items-center justify-between font-medium " href="/kb/1017/install"><span>Docs</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 -rotate-0 bg-grey-2"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></a><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><ul></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><a class="t-20 flex w-full items-center justify-between font-medium " href="/blog"><span>Blog</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 -rotate-0 bg-grey-2"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></a><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><ul></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><a class="t-20 flex w-full items-center justify-between font-medium " href="/pricing"><span>Pricing</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 -rotate-0 bg-grey-2"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></a><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"><div class="left-[-110px] top-[57px] z-[100] flex flex-col justify-between gap-8 rounded-2xl bg-white py-[30px] will-change-transform lg:absolute lg:flex-row lg:gap-[50px] lg:border lg:px-[30px] xl:left-[-40px]" style="opacity:0"><div class="flex-1 lg:min-w-[266px]"><ul></ul></div></div></div></div><div class="relative overflow-hidden border-b border-stroke-grey pb-6 "><a class="t-20 flex w-full items-center justify-between font-medium " href="/download"><span>Download</span><span class="flex h-[22px] w-[22px] items-center justify-center rounded-full text-black transition-transform duration-300 -rotate-0 bg-grey-2"><svg width="10" height="10" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.83344 7.82482L8.83656 4.99835L5.83344 2.17188L5.24469 2.72658L7.24156 4.60599H1.16406V5.3907H7.24156L5.24469 7.27011L5.83344 7.82482Z" fill="currentColor"></path></svg></span></a><div class="flex flex-col transition duration-300 will-change-[height] h-0 opacity-0"></div></div></div><a class="mt-[42px] block" data-track="Link Clicked" data-track-properties="{"label": "Get started - it's free!"}" href="https://login.tailscale.com/start"><div class="inline-flex shrink-0 border transition-colors duration-200 w-full xs:w-auto items-center justify-center text-center relative focus:outline-none group transition-all overflow-hidden font-body font-medium rounded-lg group gap-[11px] py-2 px-[17px] leading-[1.46] tracking-[-0.16px] !w-full py-3 bg-heading-black border-heading-black text-white hover:bg-black-4 hover:border-black-4 "><div>Get started - it's free!</div></div></a><a class="mt-[15px] block" data-track="Link Clicked" data-track-properties="{"label": "Login"}" href="https://login.tailscale.com/welcome"><div class="inline-flex shrink-0 border transition-colors duration-200 w-full xs:w-auto items-center justify-center text-center relative focus:outline-none group transition-all overflow-hidden font-body font-medium rounded-lg group gap-[11px] py-2 px-[17px] leading-[1.46] tracking-[-0.16px] !w-full py-3 bg-grey-3 border-grey-3 text-heading-black"><div>Login</div></div></a><div class="t-14 mx-auto mt-[55px] max-w-[264px] text-center text-black-4/60"></div><div class="mt-[35px] flex flex-wrap justify-center gap-[14px]"></div><div class="mt-[60px] flex items-center justify-center gap-[8px]"><span class="scale-[1.1] text-heading-black transition-colors duration-300 hover:text-red-1"><svg width="28" height="29" viewBox="0 0 28 29" fill="none" xmlns="http://www.w3.org/2000/svg"><rect y="0.988281" width="28" height="28" rx="14" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M8.03169 9L13.0509 15.0672L8 20H9.13675L13.5587 15.6812L17.1317 20H21L15.6985 13.5916L20.3997 9H19.263L15.1906 12.9775L11.9001 9H8.03169ZM9.70337 9.75698H11.4805L19.3281 19.2429H17.551L9.70337 9.75698Z" fill="white"></path></svg></span><span class="scale-[1.1] text-heading-black transition-colors duration-300 hover:text-red-1"><svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="0.21875" width="27.2195" height="27.2195" rx="13.6098" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M12.434 19.6598L12.4179 14.8081H10.3008V12.7289H12.4179V11.3427C12.4179 9.47188 13.5974 8.57031 15.2966 8.57031C16.1106 8.57031 16.8101 8.62983 17.014 8.65643V10.6115L15.8355 10.612C14.9114 10.612 14.7324 11.0433 14.7324 11.6762V12.7289H17.3577L16.652 14.8081H14.7324V19.6598H12.434Z" fill="#fff"></path></svg></span><span class="scale-[1.1] text-heading-black transition-colors duration-300 hover:text-red-1"><svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="0.439453" width="27.2195" height="27.2195" rx="13.6098" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M8.68685 18.6518H10.8825V11.5871H8.68685V18.6518Z" fill="white"></path><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M8.50195 9.34036C8.50195 10.0352 9.07976 10.6143 9.77312 10.6143C10.4896 10.6143 11.0443 10.0584 11.0443 9.34036C11.0443 8.64547 10.4665 8.06641 9.77312 8.06641C9.07976 8.06641 8.50195 8.64547 8.50195 9.34036Z" fill="white"></path><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M16.8917 18.6518H19.0873V14.7836C19.0873 12.8843 18.6713 11.425 16.4525 11.425C15.3894 11.425 14.6729 12.0041 14.3724 12.56H14.3493V11.5871H12.2461V18.6518H14.4418V15.1542C14.4418 14.2509 14.6267 13.3475 15.7592 13.3475C16.8686 13.3475 16.8917 14.413 16.8917 15.2237V18.6518Z" fill="white"></path></svg></span><span class="scale-[1.1] text-heading-black transition-colors duration-300 hover:text-red-1"><svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="0.658203" width="27.2195" height="27.2195" rx="13.6098" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M19.6754 11.46C19.5368 10.5863 19.121 9.98138 18.1506 9.84696C16.6258 9.57813 14.2693 9.57812 14.2693 9.57812C14.2693 9.57812 11.9128 9.57813 10.388 9.84696C9.4177 9.98138 8.93254 10.5863 8.86323 11.46C8.72461 12.3337 8.72461 13.6106 8.72461 13.6106C8.72461 13.6106 8.72461 14.8876 8.86323 15.7613C9.00185 16.635 9.4177 17.2399 10.388 17.3743C11.9128 17.6432 14.2693 17.6432 14.2693 17.6432C14.2693 17.6432 16.6258 17.6432 18.1506 17.3743C19.121 17.1727 19.5368 16.635 19.6754 15.7613C19.814 14.8876 19.814 13.6106 19.814 13.6106C19.814 13.6106 19.814 12.3337 19.6754 11.46ZM12.8831 15.6269V11.5944L16.3486 13.6106L12.8831 15.6269Z" fill="white"></path></svg></span></div><div class="t-14 mx-auto mt-10 max-w-[264px] text-center text-black-4/60"> © 2025 </div></div><main class="scope-kb is-wide container"><div class="grid grid-cols-10 gap-x-8 pt-4 md:pt-8"><aside class="js-docHighlight col-span-10 md:col-span-3 md:row-span-2 xl:col-span-2"><div class="relative hidden h-full md:block"><div class="sticky top-[68px] -mt-2 px-1"><div class="absolute inset-x-0 h-4 w-full from-white top-0 bg-gradient-to-b"></div><ul class="flex max-h-[90vh] flex-col gap-1 overflow-y-auto pb-4 pt-2 text-sm"><li data-slug="start"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1346/start">Start</a><ul class="flex flex-col gap-0.5"><li data-slug="install" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1017/install"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Quickstart</span></a></li><li data-slug="installation" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1347/installation"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Install Tailscale</span></a></li><li data-slug="quick-guides" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1415/quick-guides"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Quick guides</span></a></li><li data-slug="sso-providers" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1013/sso-providers"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up an identity provider</span></a></li><li data-slug="what-is-tailscale" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1151/what-is-tailscale"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>What is Tailscale?</span></a></li></ul></li><li data-slug="guides"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1348/guides">How-to Guides</a><ul class="flex flex-col gap-0.5"><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 block pl-4 font-semibold hover:bg-stone-100" href="/kb/1350/manage">Manage Access</a><ul class="flex flex-col gap-0.5"><li data-slug="access-control" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1393/access-control"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="6 9 12 15 18 9"></polyline></svg> <span>Manage access control</span></a><ul class="flex flex-col gap-0.5"><li data-slug="acls" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1018/acls"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="6 9 12 15 18 9"></polyline></svg> <span>Manage ACLs</span></a><ul class="flex flex-col gap-0.5"><li data-slug="acl-syntax" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-8 bg-stone-100 hover:bg-stone-200" href="/kb/1337/acl-syntax"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="6 9 12 15 18 9"></polyline></svg> <span>ACL syntax</span></a></li></ul></li><li data-slug="acl-grants" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1324/acl-grants"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Manage grants</span></a></li><li data-slug="acl-edit" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1338/acl-edit"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Edit the tailnet policy file</span></a></li><li data-slug="gitopcs-acls" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1204/gitopcs-acls"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Manage ACLs with GitOps</span></a></li></ul></li><li data-slug="just-in-time-access" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1443/just-in-time-access"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Manage Just-in-time access</span></a></li><li data-slug="manage-devices" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1372/manage-devices"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Manage devices</span></a></li><li data-slug="manage-users" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1373/manage-users"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Manage users</span></a></li><li data-slug="tailnet-lock" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1226/tailnet-lock"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Tailnet lock</span></a></li></ul></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 block pl-4 font-semibold hover:bg-stone-100" href="/kb/1351/route">Route Traffic</a><ul class="flex flex-col gap-0.5"><li data-slug="subnets" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1019/subnets"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up a subnet router</span></a></li><li data-slug="exit-nodes" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1103/exit-nodes"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up an exit node</span></a></li><li data-slug="app-connectors" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1281/app-connectors"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up an app connector</span></a></li><li data-slug="dns" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1054/dns"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Use DNS</span></a></li><li data-slug="magicdns" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1081/magicdns"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up MagicDNS</span></a></li><li data-slug="high-availability" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1115/high-availability"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up high availability</span></a></li></ul></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 block pl-4 font-semibold hover:bg-stone-100" href="/kb/1352/servers">Set Up Servers</a><ul class="flex flex-col gap-0.5"><li data-slug="set-up-servers" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1245/set-up-servers"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up a server</span></a></li><li data-slug="tags" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1068/tags"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Use tags</span></a></li><li data-slug="cloud-init" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1293/cloud-init"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Install Tailscale with cloud-init</span></a></li><li data-slug="auth-keys" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1085/auth-keys"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Use auth keys</span></a></li><li data-slug="tailscale-ssh" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1193/tailscale-ssh"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Use Tailscale SSH</span></a></li><li data-slug="enabling-https" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1153/enabling-https"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up HTTPS certificates</span></a></li><li data-slug="ephemeral-nodes" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1111/ephemeral-nodes"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Run an ephemeral node</span></a></li><li data-slug="run-unattended" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1088/run-unattended"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Run unattended</span></a></li></ul></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 block pl-4 font-semibold hover:bg-stone-100" href="/kb/1354/share">Access & Share Services</a><ul class="flex flex-col gap-0.5"><li data-slug="services" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1100/services"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>View services</span></a></li><li data-slug="sharing" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1084/sharing"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Share nodes</span></a></li><li data-slug="taildrop" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1106/taildrop"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Use Taildrop</span></a></li></ul></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 block pl-4 font-semibold hover:bg-stone-100" href="/kb/1353/share-web-server">Share a web server</a><ul class="flex flex-col gap-0.5"><li data-slug="funnel" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1223/funnel"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Tailscale Funnel</span></a></li><li data-slug="serve" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1312/serve"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Tailscale Serve</span></a></li></ul></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 block pl-4 font-semibold hover:bg-stone-100" href="/kb/1355/solutions">Solutions</a><ul class="flex flex-col gap-0.5"><li data-slug="vscode-ipad" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1166/vscode-ipad"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Code from your iPad</span></a></li><li data-slug="secure-server-ubuntu" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1077/secure-server-ubuntu"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Lock down a server</span></a></li><li data-slug="pikvm" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1292/pikvm"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Access a PiKVM</span></a></li><li data-slug="pi-hole" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1114/pi-hole"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Run a Pi-hole</span></a></li><li data-slug="ip-blocklist-relays" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1059/ip-blocklist-relays"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Secure external services</span></a></li><li data-slug="just-in-time-access" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1443/just-in-time-access"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Just-in-time access</span></a></li><li data-slug="automations" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1430/automations"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Automation</span></a></li></ul></li></ul></li><li data-slug="integrations"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1356/integrations">Integrations</a><ul class="flex flex-col gap-0.5"><li data-slug="cloud-server" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/integrations/cloud-server"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Cloud servers</span></a></li><li data-slug="containers-and-virtualization" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1358/containers-and-virtualization"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Containers and virtualization</span></a></li><li data-slug="serverless" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1364/serverless"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Serverless apps</span></a></li><li data-slug="database" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1359/database"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Databases</span></a></li><li data-slug="remote-code" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1363/remote-code"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Remote environments</span></a></li><li data-slug="developer-tools" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1360/developer-tools"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Developer tools</span></a></li><li data-slug="firewall" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1361/firewall"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Firewalls</span></a></li><li data-slug="webserver" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1365/webserver"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Web servers</span></a></li><li data-slug="nas" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1307/nas"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>NAS</span></a></li></ul></li><li data-slug="faq"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1366/faq">FAQ</a></li><li data-slug="log-events"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1349/log-events">Logging, Streaming, and Events</a><ul class="flex flex-col gap-0.5"><li data-slug="log-mesh-traffic" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1011/log-mesh-traffic"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Logging overview</span></a></li><li data-slug="audit-logging" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1203/audit-logging"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Configuration audit logging</span></a></li><li data-slug="network-flow-logs" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1219/network-flow-logs"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Network flow logs</span></a></li><li data-slug="log-streaming" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1255/log-streaming"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Log streaming</span></a></li><li data-slug="tailscale-ssh-session-recording" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1246/tailscale-ssh-session-recording"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>SSH session recording</span></a></li><li data-slug="client-metrics" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1482/client-metrics"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Client metrics</span></a></li><li data-slug="webhooks" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1213/webhooks"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Webhooks</span></a></li></ul></li><li data-slug="manage-account"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1431/manage-account">Manage Your Organization</a><ul class="flex flex-col gap-0.5"><li data-slug="contract-preferences" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1224/contract-preferences"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Contact preferences</span></a></li><li data-slug="pb-lp" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1375/pb-lp"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Pricing and billing</span></a></li><li data-slug="tailnet-name" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1217/tailnet-name"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Tailnet name</span></a></li><li data-slug="domain-ownership" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1259/domain-ownership"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Domain ownership</span></a></li></ul></li><li data-slug="reference"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1367/reference">Reference</a><ul class="flex flex-col gap-0.5"><li data-slug="acl-syntax" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 bg-stone-100 hover:bg-stone-200" href="/kb/1337/acl-syntax"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="6 9 12 15 18 9"></polyline></svg> <span>ACL syntax</span></a><ul class="flex flex-col gap-0.5"><li data-slug="acl-grants" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1324/acl-grants"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Grants</span></a></li><li data-slug="ipsets" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1387/ipsets"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>IP sets</span></a></li><li data-slug="via" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1378/via"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Via in grants</span></a></li></ul></li><li data-slug="acl-samples" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1192/acl-samples"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>ACL samples</span></a></li><li data-slug="cli" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1080/cli"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>CLI</span></a></li><li data-slug="api" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1101/api"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>API</span></a></li><li data-slug="key-prefixes" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1277/key-prefixes"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Key prefixes</span></a></li><li data-slug="production-best-practices" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1300/production-best-practices"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Production best practices</span></a></li><li data-slug="shared-responsibility" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1212/shared-responsibility"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Shared responsibility</span></a></li><li data-slug="tech-overviews" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1376/tech-overviews"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Technical overviews</span></a></li><li data-slug="terminology-and-concepts" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1155/terminology-and-concepts"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Terminology and concepts</span></a></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="https://github.com/tailscale/tailscale"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>GitHub ↗</span></a></li></ul></li><li data-slug="get-support"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1432/get-support">Get Support</a><ul class="flex flex-col gap-0.5"><li data-slug="troubleshooting" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1023/troubleshooting"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Troubleshooting</span></a></li><li data-slug="support-options" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1250/support-options"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Support options</span></a></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/contact/support"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Contact support ↗</span></a></li><li data-slug="bug-report" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1227/bug-report"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Generate a bug report</span></a></li></ul></li><li data-slug="resources"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1368/resources">Resources</a><ul class="flex flex-col gap-0.5"><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/changelog"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Changelog ↗</span></a></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/compare"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Comparisons ↗</span></a></li><li data-slug="release-stages" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1167/release-stages"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Release stages</span></a></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/security"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Security ↗</span></a></li><li data-slug="versions" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1168/versions"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Versions</span></a></li><li data-slug="use-cases" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1377/use-cases"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Use cases</span></a></li><li data-slug="invite-only-feature" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1222/invite-only-feature"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Invite only features</span></a></li></ul></li></ul><div class="absolute inset-x-0 h-4 w-full from-white bottom-0 bg-gradient-to-t"></div></div></div><div class="relative pb-6 md:hidden"><div class="flex items-center gap-4"><button type="button" class="text-gray-600 hover:text-gray-800" aria-label="Open docs navigation" aria-expanded="false" aria-controls="drawer"><svg class="icon block stroke-gray-800 stroke-2"><use href="/files/images/marketing/icons.svg#list"></use></svg></button><script type="application/ld+json">{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Docs","item":"/kb"},{"@type":"ListItem","position":2,"name":"How-to Guides","item":"/kb/1348/guides"},{"@type":"ListItem","position":3,"name":"Manage Access","item":"/kb/1350/manage"},{"@type":"ListItem","position":4,"name":"Manage access control","item":"/kb/1393/access-control"},{"@type":"ListItem","position":5,"name":"Manage ACLs","item":"/kb/1018/acls"},{"@type":"ListItem","position":6,"name":"ACL syntax","item":"/kb/1337/acl-syntax"}]}</script><nav class="flex min-w-0 items-center gap-2 whitespace-nowrap text-sm font-medium"><a class="transition-color text-gray-600 hover:text-gray-800" href="/kb">Docs</a><span class="select-none text-gray-500">›</span><a class="transition-color text-gray-600 hover:text-gray-800" href="/kb/1348/guides">How-to Guides</a><span class="select-none text-gray-500">›</span><a class="transition-color text-gray-600 hover:text-gray-800" href="/kb/1350/manage">Manage Access</a><span class="select-none text-gray-500">›</span><a class="transition-color text-gray-600 hover:text-gray-800" href="/kb/1393/access-control">Manage access control</a><span class="select-none text-gray-500">›</span><a class="transition-color text-gray-600 hover:text-gray-800" href="/kb/1018/acls">Manage ACLs</a><span class="select-none text-gray-500">›</span><span class="text-gray-800">ACL syntax</span></nav></div><div id="drawer" role="dialog" aria-labelledby="dialog-label" class="left-0 top-0 z-[101] flex h-screen flex-col gap-8 bg-white p-4 shadow-md hidden"><div class="flex items-center justify-between"><h3 id="dialog-label" class="p-2 text-xl font-semibold">Documentation</h3><button type="button" class="text-gray-600 hover:text-gray-800" data-docs-menu="toggle" aria-expanded="false" aria-controls="drawer" aria-label="Close docs navigation"><svg class="icon block h-11 w-11 p-2"><use href="/files/images/marketing/icons.svg#x"></use></svg></button></div><div class="sticky top-[68px] -mt-2 px-1"><div class="absolute inset-x-0 h-4 w-full from-white top-0 bg-gradient-to-b"></div><ul class="flex max-h-[90vh] flex-col gap-1 overflow-y-auto pb-4 pt-2 text-sm"><li data-slug="start"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1346/start">Start</a><ul class="flex flex-col gap-0.5"><li data-slug="install" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1017/install"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Quickstart</span></a></li><li data-slug="installation" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1347/installation"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Install Tailscale</span></a></li><li data-slug="quick-guides" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1415/quick-guides"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Quick guides</span></a></li><li data-slug="sso-providers" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1013/sso-providers"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up an identity provider</span></a></li><li data-slug="what-is-tailscale" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1151/what-is-tailscale"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>What is Tailscale?</span></a></li></ul></li><li data-slug="guides"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1348/guides">How-to Guides</a><ul class="flex flex-col gap-0.5"><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 block pl-4 font-semibold hover:bg-stone-100" href="/kb/1350/manage">Manage Access</a><ul class="flex flex-col gap-0.5"><li data-slug="access-control" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1393/access-control"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="6 9 12 15 18 9"></polyline></svg> <span>Manage access control</span></a><ul class="flex flex-col gap-0.5"><li data-slug="acls" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1018/acls"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="6 9 12 15 18 9"></polyline></svg> <span>Manage ACLs</span></a><ul class="flex flex-col gap-0.5"><li data-slug="acl-syntax" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-8 bg-stone-100 hover:bg-stone-200" href="/kb/1337/acl-syntax"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="6 9 12 15 18 9"></polyline></svg> <span>ACL syntax</span></a></li></ul></li><li data-slug="acl-grants" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1324/acl-grants"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Manage grants</span></a></li><li data-slug="acl-edit" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1338/acl-edit"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Edit the tailnet policy file</span></a></li><li data-slug="gitopcs-acls" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1204/gitopcs-acls"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Manage ACLs with GitOps</span></a></li></ul></li><li data-slug="just-in-time-access" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1443/just-in-time-access"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Manage Just-in-time access</span></a></li><li data-slug="manage-devices" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1372/manage-devices"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Manage devices</span></a></li><li data-slug="manage-users" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1373/manage-users"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Manage users</span></a></li><li data-slug="tailnet-lock" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1226/tailnet-lock"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Tailnet lock</span></a></li></ul></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 block pl-4 font-semibold hover:bg-stone-100" href="/kb/1351/route">Route Traffic</a><ul class="flex flex-col gap-0.5"><li data-slug="subnets" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1019/subnets"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up a subnet router</span></a></li><li data-slug="exit-nodes" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1103/exit-nodes"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up an exit node</span></a></li><li data-slug="app-connectors" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1281/app-connectors"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up an app connector</span></a></li><li data-slug="dns" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1054/dns"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Use DNS</span></a></li><li data-slug="magicdns" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1081/magicdns"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up MagicDNS</span></a></li><li data-slug="high-availability" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1115/high-availability"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up high availability</span></a></li></ul></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 block pl-4 font-semibold hover:bg-stone-100" href="/kb/1352/servers">Set Up Servers</a><ul class="flex flex-col gap-0.5"><li data-slug="set-up-servers" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1245/set-up-servers"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up a server</span></a></li><li data-slug="tags" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1068/tags"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Use tags</span></a></li><li data-slug="cloud-init" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1293/cloud-init"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Install Tailscale with cloud-init</span></a></li><li data-slug="auth-keys" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1085/auth-keys"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Use auth keys</span></a></li><li data-slug="tailscale-ssh" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1193/tailscale-ssh"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Use Tailscale SSH</span></a></li><li data-slug="enabling-https" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1153/enabling-https"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Set up HTTPS certificates</span></a></li><li data-slug="ephemeral-nodes" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1111/ephemeral-nodes"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Run an ephemeral node</span></a></li><li data-slug="run-unattended" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1088/run-unattended"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Run unattended</span></a></li></ul></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 block pl-4 font-semibold hover:bg-stone-100" href="/kb/1354/share">Access & Share Services</a><ul class="flex flex-col gap-0.5"><li data-slug="services" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1100/services"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>View services</span></a></li><li data-slug="sharing" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1084/sharing"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Share nodes</span></a></li><li data-slug="taildrop" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1106/taildrop"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Use Taildrop</span></a></li></ul></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 block pl-4 font-semibold hover:bg-stone-100" href="/kb/1353/share-web-server">Share a web server</a><ul class="flex flex-col gap-0.5"><li data-slug="funnel" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1223/funnel"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Tailscale Funnel</span></a></li><li data-slug="serve" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1312/serve"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Tailscale Serve</span></a></li></ul></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 block pl-4 font-semibold hover:bg-stone-100" href="/kb/1355/solutions">Solutions</a><ul class="flex flex-col gap-0.5"><li data-slug="vscode-ipad" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1166/vscode-ipad"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Code from your iPad</span></a></li><li data-slug="secure-server-ubuntu" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1077/secure-server-ubuntu"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Lock down a server</span></a></li><li data-slug="pikvm" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1292/pikvm"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Access a PiKVM</span></a></li><li data-slug="pi-hole" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1114/pi-hole"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Run a Pi-hole</span></a></li><li data-slug="ip-blocklist-relays" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1059/ip-blocklist-relays"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Secure external services</span></a></li><li data-slug="just-in-time-access" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1443/just-in-time-access"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Just-in-time access</span></a></li><li data-slug="automations" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1430/automations"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Automation</span></a></li></ul></li></ul></li><li data-slug="integrations"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1356/integrations">Integrations</a><ul class="flex flex-col gap-0.5"><li data-slug="cloud-server" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/integrations/cloud-server"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Cloud servers</span></a></li><li data-slug="containers-and-virtualization" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1358/containers-and-virtualization"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Containers and virtualization</span></a></li><li data-slug="serverless" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1364/serverless"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Serverless apps</span></a></li><li data-slug="database" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1359/database"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Databases</span></a></li><li data-slug="remote-code" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1363/remote-code"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Remote environments</span></a></li><li data-slug="developer-tools" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1360/developer-tools"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Developer tools</span></a></li><li data-slug="firewall" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1361/firewall"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Firewalls</span></a></li><li data-slug="webserver" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1365/webserver"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Web servers</span></a></li><li data-slug="nas" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1307/nas"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>NAS</span></a></li></ul></li><li data-slug="faq"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1366/faq">FAQ</a></li><li data-slug="log-events"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1349/log-events">Logging, Streaming, and Events</a><ul class="flex flex-col gap-0.5"><li data-slug="log-mesh-traffic" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1011/log-mesh-traffic"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Logging overview</span></a></li><li data-slug="audit-logging" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1203/audit-logging"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Configuration audit logging</span></a></li><li data-slug="network-flow-logs" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1219/network-flow-logs"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Network flow logs</span></a></li><li data-slug="log-streaming" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1255/log-streaming"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Log streaming</span></a></li><li data-slug="tailscale-ssh-session-recording" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1246/tailscale-ssh-session-recording"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>SSH session recording</span></a></li><li data-slug="client-metrics" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1482/client-metrics"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Client metrics</span></a></li><li data-slug="webhooks" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1213/webhooks"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Webhooks</span></a></li></ul></li><li data-slug="manage-account"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1431/manage-account">Manage Your Organization</a><ul class="flex flex-col gap-0.5"><li data-slug="contract-preferences" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1224/contract-preferences"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Contact preferences</span></a></li><li data-slug="pb-lp" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1375/pb-lp"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Pricing and billing</span></a></li><li data-slug="tailnet-name" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1217/tailnet-name"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Tailnet name</span></a></li><li data-slug="domain-ownership" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1259/domain-ownership"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Domain ownership</span></a></li></ul></li><li data-slug="reference"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1367/reference">Reference</a><ul class="flex flex-col gap-0.5"><li data-slug="acl-syntax" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 bg-stone-100 hover:bg-stone-200" href="/kb/1337/acl-syntax"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="6 9 12 15 18 9"></polyline></svg> <span>ACL syntax</span></a><ul class="flex flex-col gap-0.5"><li data-slug="acl-grants" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1324/acl-grants"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Grants</span></a></li><li data-slug="ipsets" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1387/ipsets"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>IP sets</span></a></li><li data-slug="via" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-6 hover:bg-stone-100" href="/kb/1378/via"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Via in grants</span></a></li></ul></li><li data-slug="acl-samples" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1192/acl-samples"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>ACL samples</span></a></li><li data-slug="cli" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1080/cli"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>CLI</span></a></li><li data-slug="api" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1101/api"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>API</span></a></li><li data-slug="key-prefixes" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1277/key-prefixes"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Key prefixes</span></a></li><li data-slug="production-best-practices" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1300/production-best-practices"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Production best practices</span></a></li><li data-slug="shared-responsibility" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1212/shared-responsibility"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Shared responsibility</span></a></li><li data-slug="tech-overviews" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1376/tech-overviews"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Technical overviews</span></a></li><li data-slug="terminology-and-concepts" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1155/terminology-and-concepts"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Terminology and concepts</span></a></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="https://github.com/tailscale/tailscale"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>GitHub ↗</span></a></li></ul></li><li data-slug="get-support"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1432/get-support">Get Support</a><ul class="flex flex-col gap-0.5"><li data-slug="troubleshooting" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1023/troubleshooting"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Troubleshooting</span></a></li><li data-slug="support-options" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1250/support-options"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Support options</span></a></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/contact/support"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Contact support ↗</span></a></li><li data-slug="bug-report" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1227/bug-report"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Generate a bug report</span></a></li></ul></li><li data-slug="resources"><a class="rounded py-1 text-stone-800 hover:text-stone-900 mb-0.5 mt-2 block pl-2 font-semibold hover:bg-stone-100" href="/kb/1368/resources">Resources</a><ul class="flex flex-col gap-0.5"><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/changelog"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Changelog ↗</span></a></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/compare"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Comparisons ↗</span></a></li><li data-slug="release-stages" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1167/release-stages"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Release stages</span></a></li><li class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/security"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Security ↗</span></a></li><li data-slug="versions" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1168/versions"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Versions</span></a></li><li data-slug="use-cases" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1377/use-cases"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Use cases</span></a></li><li data-slug="invite-only-feature" class="flex flex-col gap-0.5"><a class="rounded py-1 text-stone-800 hover:text-stone-900 flex w-full items-start gap-1 pr-2 pl-4 hover:bg-stone-100" href="/kb/1222/invite-only-feature"><svg class="icon inline-block !h-[0.9em] !w-[0.9em] stroke-gray-500 invisible relative top-1" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"></polyline></svg> <span>Invite only features</span></a></li></ul></li></ul><div class="absolute inset-x-0 h-4 w-full from-white bottom-0 bg-gradient-to-t"></div></div></div></div></aside><div class="col-span-10 mb-8 md:col-span-7 xl:col-span-6"><div class="max-w-3xl xl:mx-auto"><div class="pb-8"><div class="relative md:max-w-lg"><form class="relative flex" autoComplete="off" autoCapitalize="off" autoCorrect="off" action="/kb"><input class="input hide-search-ui flex-shrink-0 flex-grow" type="search" placeholder="Search..." aria-label="Search" name="q" value=""/></form></div></div><article id="main-content" class="prism markdown-content js-docHighlight"><header class="mb-2 hidden md:flex"><script type="application/ld+json">{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Docs","item":"/kb"},{"@type":"ListItem","position":2,"name":"How-to Guides","item":"/kb/1348/guides"},{"@type":"ListItem","position":3,"name":"Manage Access","item":"/kb/1350/manage"},{"@type":"ListItem","position":4,"name":"Manage access control","item":"/kb/1393/access-control"},{"@type":"ListItem","position":5,"name":"Manage ACLs","item":"/kb/1018/acls"},{"@type":"ListItem","position":6,"name":"ACL syntax","item":"/kb/1337/acl-syntax"}]}</script><nav class="flex min-w-0 items-center gap-2 whitespace-nowrap text-sm font-medium"><a class="transition-color text-gray-600 hover:text-gray-800" href="/kb">Docs</a><span class="select-none text-gray-500">›</span><a class="transition-color text-gray-600 hover:text-gray-800" href="/kb/1348/guides">How-to Guides</a><span class="select-none text-gray-500">›</span><a class="transition-color text-gray-600 hover:text-gray-800" href="/kb/1350/manage">Manage Access</a><span class="select-none text-gray-500">›</span><a class="transition-color text-gray-600 hover:text-gray-800" href="/kb/1393/access-control">Manage access control</a><span class="select-none text-gray-500">›</span><a class="transition-color text-gray-600 hover:text-gray-800" href="/kb/1018/acls">Manage ACLs</a><span class="select-none text-gray-500">›</span><span class="text-gray-800">ACL syntax</span></nav></header><h1 class="mb-4 text-4xl font-medium tracking-tight">ACL syntax</h1><div class="ts-prose"><p>You can write Tailscale <a href="/kb/1393/access-control">access control</a> rules such as <a href="/kb/1018/acls">ACLs</a> and <a href="/kb/1324/grants">grants</a> in the tailnet policy file, which is expressed in <a href="https://github.com/tailscale/hujson">human JSON (HuJSON)</a>.</p> <p>The tailnet policy file has the following top-level sections relating to ACLs:</p> <ul> <li><a href="#acls">Access control lists (<code>acls</code>)</a></li> <li><a href="#grants">Grants (<code>grants</code>)</a></li> <li><a href="#groups">Groups (<code>groups</code>)</a></li> <li><a href="#hosts">Hosts (<code>hosts</code>)</a></li> <li><a href="#postures">Postures (<code>postures</code>)</a></li> <li><a href="#tag-owners">Tag owners (<code>tagOwners</code>)</a></li> <li><a href="#autoapprovers">Auto approvers (<code>autoApprovers</code>)</a></li> <li><a href="#ssh">SSH (<code>ssh</code>)</a></li> <li><a href="#nodeattrs">Node attributes (<code>nodeAttrs</code>)</a></li> <li><a href="#tests">Tests (<code>tests</code>)</a></li> <li><a href="#sshtests">SSH test (<code>sshTests</code>)</a></li> <li><a href="#ipsets">IP sets (<code>ipsets</code>)</a></li> </ul> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span><p>The tailnet policy file also contains <a href="/kb/1324/grants">grants</a> and the following <a href="#network-policy-options">network-wide policy settings</a> (unrelated to access control): <code>derpMap</code>, <code>disableIPv4</code>, and <code>randomizeClientPort</code>.</p></div> <span id="acls"></span> <h2 id="access-rules"><a class="group flex items-center gap-2" href="#access-rules"><span id="inner-text">Access rules</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <p>The <code>acls</code> section lists access rules for your tailnet. Each rule grants access from a set of sources to a set of destinations.</p> <p>Access rules can use <a href="#groups">groups</a> and <a href="/kb/1068/tags">tags</a> to grant access to pre-defined sets of users and assign service role accounts to nodes. Together, groups and tags let you build powerful <a href="/blog/rbac-like-it-was-meant-to-be">role-based access control (RBAC)</a> policies.</p> <p>Tailscale automatically translates all ACLs to lower-level rules that allow traffic from a source IP address to a destination IP address and port.</p> <p>The following example shows an access rule with an <code>action</code>, <code>src</code>, <code>proto</code>, and <code>dst</code>.</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <list-of-sources> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"proto"</span><span class="token operator">:</span> <span class="token string">"tcp"</span><span class="token punctuation">,</span> <span class="token comment">// optional</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <list-of-destinations> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token punctuation">}</span> </code></pre></div> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span><p>The <code>acl</code> section of the tailnet policy supports the legacy fields <code>users</code> and <code>ports</code>, but the best practice is to use <code>src</code> (instead of <code>users</code>) and <code>dst</code> (instead of <code>ports</code>).</p></div> <h3 id="action"><a class="group flex items-center gap-2" href="#action"><span id="inner-text"><code>action</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Tailscale access rules deny access by default. As a result, the only possible <code>action</code> is <code>accept</code>. <code>accept</code> allows traffic from the source (<code>src</code>) to the destination (<code>dst</code>).</p> <h3 id="src"><a class="group flex items-center gap-2" href="#src"><span id="inner-text"><code>src</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>The <code>src</code> field specifies a list of sources to which the rule applies. Each element in the list can be one of the following:</p> <table class="w-full"><thead><tr><th><strong>Type</strong></th><th><strong>Example</strong></th><th><strong>Description</strong></th></tr></thead><tbody class="fs-small"><tr><td>Any</td><td>*</td><td>All traffic originating from Tailscale devices in your tailnet, any approved subnets and <code>autogroup:shared</code>. It does not allow traffic originating from non-tailscale devices (unless it is an approved route).</td></tr><tr><td>User</td><td><code>shreya@example.com</code></td><td>Includes all the provided user's devices.</td></tr><tr><td><a href="#groups">Group</a></td><td><code>group:<group-name></code></td><td>Includes all users in the provided group.</td></tr><tr><td>Tailscale IP</td><td><code>100.101.102.103</code></td><td>Includes only the device that owns the provided Tailscale IP. IPv6 addresses must follow the format <code>[1:2:3::4]:80</code>.</td></tr><tr><td><a href="/kb/1019/subnets">Subnet</a> CIDR Range</td><td><code>192.168.1.0/24</code></td><td>Includes any IP address within the provided subnet.</td></tr><tr><td><a href="#hosts">Host</a></td><td><code>my-host</code></td><td>Includes the Tailscale IP address or CIDR in the <code>hosts</code> section.</td></tr><tr><td><a href="/kb/1068/tags">Tag</a></td><td><code>tag:production</code></td><td>Includes all devices with the provided tag.</td></tr><tr><td><a href="#autogroups">Autogroup</a></td><td><code>autogroup:<role|property></code></td><td>Includes devices of users, destinations, or usernames with the same properties or roles.</td></tr><tr><td><a href="#autogroups">Autogroup (all)</a></td><td><code>autogroup:danger-all</code></td><td>A special autogroup that selects all sources including those outside your tailnet.</td></tr></tbody></table> <p>You can optionally include the <code>srcPosture</code> field to further restrict <code>src</code> devices to the ones matching a set of <a href="/kb/1288/device-posture#device-posture-conditions">device posture conditions</a>.</p> <h3 id="proto"><a class="group flex items-center gap-2" href="#proto"><span id="inner-text"><code>proto</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>The <code>proto</code> field is an optional field you can use to specify the protocol to which the rule applies. Without a protocol, the access rule applies to all TCP and UDP traffic.</p> <p>You can specify <code>proto</code> as an <a href="https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml">IANA IP protocol number</a> <code>1-255</code> (for example, <code>"16"</code>) or one of the supported named aliases.</p> <br/> <details><summary>Expand to view all named aliases.</summary><table class="w-full"><thead><tr><th><strong>Protocol</strong></th><th><strong><code>proto</code></strong></th><th><strong>IANA protocol number</strong></th></tr></thead><tbody class="fs-small"><tr><td>Internet Group Management (IGMP)</td><td><code>igmp</code></td><td><code>2</code></td></tr><tr><td>IPv4 encapsulation</td><td><code>ipv4</code>, <code>ip-in-ip</code></td><td><code>4</code></td></tr><tr><td>Transmission Control (TCP)</td><td><code>tcp</code></td><td><code>6</code></td></tr><tr><td>Exterior Gateway Protocol (EGP)</td><td><code>egp</code></td><td><code>8</code></td></tr><tr><td>Any private interior gateway</td><td><code>igp</code></td><td><code>9</code></td></tr><tr><td>User Datagram (UDP)</td><td><code>udp</code></td><td><code>17</code></td></tr><tr><td>Generic Routing Encapsulation (GRE)</td><td><code>gre</code></td><td><code>47</code></td></tr><tr><td>Encap Security Payload (ESP)</td><td><code>esp</code></td><td><code>50</code></td></tr><tr><td>Authentication Header (AH)</td><td><code>ah</code></td><td><code>51</code></td></tr><tr><td>Stream Control Transmission Protocol (SCTP)</td><td><code>sctp</code></td><td><code>132</code></td></tr></tbody></table></details> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span><p>Notes about the <code>proto</code> field:</p><ul> <li>You must use Tailscale version v1.18.2 or later to use the <code>proto</code> field. Earlier versions of Tailscale will fail and block access rules with protocols.</li> <li>If traffic is allowed for a given pair of IP addresses, then ICMP will also be allowed.</li> <li>Only TCP, UDP, and SCTP traffic support specifying ports. All other protocols only support <code>*</code> as the protocol port.</li> </ul></div> <h3 id="dst"><a class="group flex items-center gap-2" href="#dst"><span id="inner-text"><code>dst</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>The <code>dst</code> field specifies a list of destinations to which the rule applies. Each element in the list specifies a <code>host</code> and one or more <code>ports</code> in the format <code><host>:<ports></code>.</p> <p>The <code>host</code> can be any of the following types:</p> <table class="w-full"><thead><tr><th><strong>Type</strong></th><th><strong>Example</strong></th><th><strong>Description</strong></th></tr></thead><tbody class="fs-small"><tr><td>Any</td><td>*</td><td>Includes any destination (no restrictions).</td></tr><tr><td>User</td><td><code>shreya@example.com</code></td><td>Includes any device currently signed in as the provided user.</td></tr><tr><td><a href="#groups">Group</a></td><td><code>group:<group-name></code></td><td>Includes all users in the provided group.</td></tr><tr><td>Tailscale IP address</td><td><code>100.101.102.103</code></td><td>Includes only the device that owns the provided Tailscale IP address.</td></tr><tr><td><a href="#hosts">Hosts</a></td><td><code>example-host-name</code></td><td>Includes the Tailscale IP address in the <a href="#hosts"><code>hosts</code> section</a>.</td></tr><tr><td><a href="/kb/1019/subnets">Subnet</a> CIDR Range</td><td><code>192.168.1.0/24</code></td><td>Includes any IP address within the given subnet.</td></tr><tr><td><a href="/kb/1068/tags">Tags</a></td><td><code>tag:<tag-name></code></td><td>Includes any device with the provided tag.</td></tr><tr><td>Internet access through an <a href="/kb/1103/exit-nodes">exit node</a></td><td><code>autogroup:internet</code></td><td>Includes devices with access to the internet through <a href="/kb/1103/exit-nodes">exit nodes.</a></td></tr><tr><td>Own devices</td><td><code>autogroup:self</code></td><td>Includes devices where the same user is authenticated on both the <code>src</code> and the <code>dst</code>. This does not include devices for which the user has <a href="/kb/1068/tags/">tags</a>.</td></tr><tr><td>Tailnet devices</td><td><code>autogroup:member</code></td><td>Includes devices in the tailnet where the user is a direct member (not a shared user) of the tailnet.</td></tr><tr><td>Admin devices</td><td><code>autogroup:admin</code></td><td>Includes devices where the user is an <a href="/kb/1138/user-roles/#admin">Admin</a>.</td></tr><tr><td>Network admin devices</td><td><code>autogroup:network-admin</code></td><td>Includes devices where the user is a <a href="/kb/1138/user-roles/#network-admin">Network admin</a>.</td></tr><tr><td>IT admin devices</td><td><code>autogroup:it-admin</code></td><td>Includes to devices where the user is an <a href="/kb/1138/user-roles/#it-admin">IT admin</a>.</td></tr><tr><td>Billing admin devices</td><td><code>autogroup:billing-admin</code></td><td>Includes devices where the user is a <a href="/kb/1138/user-roles/#billing-admin">Billing admin</a>.</td></tr><tr><td>Auditor devices</td><td><code>autogroup:auditor</code></td><td>Includes devices where the user is an <a href="/kb/1138/user-roles/#auditor">Auditor</a>.</td></tr><tr><td>Owner devices</td><td><code>autogroup:owner</code></td><td>Includes devices where the user is the tailnet <a href="/kb/1138/user-roles/#owner">Owner</a>.</td></tr></tbody></table> <p>The <code>ports</code> field can be any of the following types:</p> <table class="w-full"><thead><tr><th><strong>Type</strong></th><th><strong>Description</strong></th><th><strong>Example</strong></th></tr></thead><tbody class="fs-small"><tr><td>Any</td><td>Includes any port number.</td><td><code>*</code></td></tr><tr><td>Single</td><td>Includes a single port number.</td><td><code>22</code></td></tr><tr><td>Multiple</td><td>Includes two or more port numbers separated by commas.</td><td><code>80,443</code></td></tr><tr><td>Range</td><td>Includes a range of port numbers.</td><td><code>1000-2000</code></td></tr></tbody></table> <h3 id="subnet-routers-and-exit-nodes"><a class="group flex items-center gap-2" href="#subnet-routers-and-exit-nodes"><span id="inner-text">Subnet routers and exit nodes</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>ACLs don't limit the discovery of routes. If a device is a <a href="/kb/1019/subnets">subnet router</a>, you can restrict access to it independently from the subnet. If a device is an <a href="/kb/1103/exit-nodes">exit node</a>, you can restrict access to it independently from its public IP address.</p> <p>To restrict access to a subnet, ensure that no ACL allows access to those routes. You can enforce this with a test that fails if any rule accidentally allows access. The following example demonstrates a test that fails if <code>not-allowed@example.com</code> is allowed access to <code>198.51.100.7:22</code>.</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"tests"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token string">"not-allowed@example.com"</span><span class="token punctuation">,</span> <span class="token property">"accept"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"192.0.2.100:22"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token comment">// allow access to the tailscale IP</span> <span class="token property">"deny"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"198.51.100.7:22"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token comment">// does not allow access to the subnet</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> </code></pre></div> <p>Only devices with access to <code>autogroup:internet</code> can use exit nodes. All other devices (without access to <code>autogroup:internet</code>) cannot use exit nodes. You can enforce this with a test that fails if any rule accidentally allows access to a public address. The following example test fails if <code>not-allowed@example.com</code> can access <code>198.51.100.8:22</code>.</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"tests"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token string">"not-allowed@example.com"</span><span class="token punctuation">,</span> <span class="token property">"accept"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"192.0.2.100:22"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token comment">// allow access to the tailscale IP</span> <span class="token property">"deny"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"198.51.100.8:22"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token comment">// does not allow access to a public IP</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> </code></pre></div> <p>You cannot restrict the use of specific exit nodes using ACLs. Refer to <a href="https://github.com/tailscale/tailscale/issues/1567">issue #1567</a> for updates.</p> <h3 id="taildrop-precedence"><a class="group flex items-center gap-2" href="#taildrop-precedence"><span id="inner-text">Taildrop precedence</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Taildrop permits you to share files between devices you're logged in to, even if you use ACLs to restrict access.</p> <span id="grants"></span> <h2 id="grants"><a class="group flex items-center gap-2" href="#grants"><span id="inner-text">Grants</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span>Grants are currently <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/kb/1167/release-stages#beta">in beta</a>.</div> <p>Grants are a new, more powerful approach to access control. They let you do everything you can with ACLs, plus more. When communicating with a destination device, you can grant <a href="https://en.wikipedia.org/wiki/Application_layer">application layer</a> capabilities to a set of devices or users. You can also continue to define traditional <a href="https://en.wikipedia.org/wiki/Network_layer">network layer</a> capabilities. For example, you can use a grant rule to give a group of users access to port <code>8443</code> on a server, <em>and</em> define the files they can edit on that server.</p> <p>The grants system combines network layer and application layer capabilities into a shared syntax. As a result, it offers enhanced flexibility and fine-grained control over resource access. Each grant only requires a source and a destination. Because Tailscale takes a deny-by-default approach, each grant has an implied <em>accept</em> action.</p> <br/> <a href="/kb/1324/grants" class="not-prose group relative flex rounded-md p-2 text-base transition-all hover:bg-blue-100"><svg class="icon relative -top-px mr-2 inline-block h-auto stroke-blue-500 group-hover:stroke-blue-700" style="flex:0 0 1.35rem"><use href="/files/images/marketing/icons.svg#file-text"></use></svg><div><h4 class="stretched-link m-0 flex !text-base !font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 transition-colors hover:decoration-blue-500 focus-visible:no-underline group-hover:!text-blue-700">Learn more about grants</h4><p class="!text-base text-gray-600 group-hover:text-gray-700">Learn how to grant capabilities at the network and application layers.</p></div></a> <h2 id="reference-users"><a class="group flex items-center gap-2" href="#reference-users"><span id="inner-text">Reference users</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span>Users are available for <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/pricing">the Personal, Personal Plus, Premium, and Enterprise plans</a>.</div> <p>You can specify users in an access rule's source (<code>src</code>) and destination (<code>dst</code>) fields. To specify a user, use one of the following formats (depending on how the user signs into Tailscale):</p> <table><thead><tr><th><strong>Format</strong></th><th><strong>Description</strong></th><th><strong>Example</strong></th></tr></thead><tbody><tr><td><code>username@example.com</code></td><td>Use if the user signs into Tailscale with an email address.</td><td><code>alice@example.com</code></td></tr><tr><td><code>username@github</code></td><td>Use if the user signs into Tailscale with a GitHub account.</td><td><code>alice@github</code></td></tr><tr><td><code>username@passkey</code></td><td>Use if the user signs into Tailscale with a Passkey.</td><td><code>alice@passkey</code></td></tr></tbody></table> <p>You can use groups to reference sets of users. Groups let you define role-based access controls. There are multiple types of groups:</p> <ul> <li>Auto groups that reference all users with the same property.</li> <li>Groups defined in the <code>groups</code> section of the tailnet policy file as a specific list of users.</li> <li>Groups provisioned in the identity provider and synced through user and group provisioning.</li> </ul> <h2 id="autogroups"><a class="group flex items-center gap-2" href="#autogroups"><span id="inner-text">Autogroups</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span>Autogroups are available for <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/pricing">all plans</a>.</div> <p>An <a href="/kb/1396/targets#autogroups">autogroup</a> is a special group that automatically includes users, destinations, or usernames with the same properties.</p> <table class="w-full"><thead><tr><th><strong>Allowed</strong></th><th><strong>Autogroup</strong></th><th><strong>Description</strong></th><th><strong>Availability by plan</strong></th></tr></thead><tbody class="fs-small"><tr><td rowspan="2">As a <code>dst</code></td><td><code>autogroup:internet</code></td><td>Use to allow access for any user through <i>any</i> <a href="/kb/1103/exit-nodes">exit node</a> in your tailnet.</td><td rowspan="2">Available on <a href="/pricing">all plans</a></td></tr><tr><td><code>autogroup:self</code></td><td>Use to allow access for any user that is authenticated as the same user as the source. Does not apply to tags.</td></tr><tr><td rowspan="9">As a <code>src</code> or <code>dst</code>, <code>tagOwner</code>, or <code>autoApprover</code></td><td><code>autogroup:owner</code></td><td>Use to allow access for the tailnet <a href="/kb/1138/user-roles/#owner">Owner</a>.</td><td rowspan="4">Available on <a href="/pricing">all plans</a></td></tr><tr><td><code>autogroup:admin</code></td><td>Use to allow access for any user who has the role of <a href="/kb/1138/user-roles/#admin">Admin</a>.</td></tr><tr><td><code>autogroup:member</code></td><td>Use to allow access for any user who is a direct member (including all invited users) of the tailnet. Does not include users from shared devices.</td></tr><tr><td><code>autogroup:tagged</code></td><td>Use to allow access for any device that is <a href="/kb/1068/tags/">tagged</a>.</td></tr><tr><td><code>autogroup:auditor</code></td><td>Use to allow access for any user who has the role of <a href="/kb/1138/user-roles/#auditor">Auditor</a>.</td><td rowspan="4">Available on <a href="/pricing">the Personal, Personal Plus, Premium, and Enterprise plans</a></td></tr><tr><td><code>autogroup:billing-admin</code></td><td>Use to allow access for any user who has the role of <a href="/kb/1138/user-roles/#billing-admin">Billing admin</a>.</td></tr><tr><td><code>autogroup:it-admin</code></td><td>Use to allow access for any user who has the role of <a href="/kb/1138/user-roles/#it-admin">IT admin</a>.</td></tr><tr><td><code>autogroup:network-admin</code></td><td>Use to allow access for any user who has the role of <a href="/kb/1138/user-roles/#network-admin">Network admin</a>.</td></tr><tr><td><code>user:*@<domain></code></td><td>Use to allow access for any user whose login is in the specified domain and who is a direct member (including all invited users) of the tailnet. Does not include users from shared devices.</td><td>Available on <a href="/pricing">the Starter, Premium, and Enterprise plans</a></td></tr><tr><td>As a <code>src</code></td><td><code>autogroup:shared</code></td><td>Use to allow access for any user who accepted a <a href="/kb/1084/sharing">sharing</a> invitation to your network. This lets you write rules without knowing the email addresses in advance.</td><td>Available on <a href="/pricing">all plans</a></td></tr><tr><td rowspan="2">As an <a href="/kb/1337/acl-syntax/#ssh">SSH</a> user</td><td><code>autogroup:nonroot</code></td><td>Use to allow <a href="/kb/1193/tailscale-ssh/">Tailscale SSH</a> access to any user that is not <code>root</code>.</td><td>Available on <a href="/pricing">the Personal, Personal Plus, Premium, and Enterprise plans</a></td></tr><tr><td><code>localpart:*@<domain></code></td><td>Use to allow <a href="/kb/1193/tailscale-ssh/">Tailscale SSH</a> access to the user whose name matches the <a href="https://datatracker.ietf.org/doc/html/rfc2822#section-3.4.1">local-part</a> of the user's login.</td><td>Available on <a href="/pricing">the Premium and Enterprise plans</a></td></tr></tbody></table> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span><p><code>autogroup:self</code> only applies to user-owned devices. It does not apply to tagged devices. You cannot use <code>autogroup:self</code> with <code>autogroup:tagged</code>.</p></div> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span><p>The legacy autogroup <code>autogroup:members</code> will continue to work, but it's best practice to use <code>autogroup:member</code> instead. You cannot use both <code>autogroup:member</code> and <code>autogroup:members</code> in the same tailnet policy file.</p></div> <p>The following example <a href="#ssh"><code>ssh</code> rule</a> allows all users Tailscale SSH access to devices they own (as non-root):</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"ssh"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token comment">// All users can SSH to their own devices, as non-root</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"autogroup:member"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"autogroup:self"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"users"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"autogroup:nonroot"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token punctuation">]</span> </code></pre></div> <p class="ts-prose">In the default ACL, the <code>ssh</code> rule uses <code>autogroup:self</code> for the <code>dst</code> field and<code>autogroup:nonroot</code> in the <code>users</code> field. If you change the <code>dst</code> field from<code>autogroup:self</code> to some other destination, such as an <a href="https://tailscale.com/kb/1068/acl-tags/">ACL tag</a>, also consider replacing <code>autogroup:nonroot</code> in the <code>users</code> field. If you don't remove<code>autogroup:nonroot</code> from the <code>users</code> field, then anyone permitted by the <code>src</code> setting will be able to SSH in as any nonroot user on the <code>dst</code> device.</p> <span id="domainbased"></span> <h3 id="domain-based-autogroups"><a class="group flex items-center gap-2" href="#domain-based-autogroups"><span id="inner-text">Domain based autogroups</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Some autogroups include a specific domain name. For example, <code>user:*@example.com</code> or <code>localpart:*@example.com</code>. These autogroups include users who are both members of the tailnet and whose login is in the autogroup domain. For example, if the tailnet <code>example.com</code> uses the autogroup <code>user:*@altostrat.com</code>, this group includes all members of the <code>example.com</code> tailnet who log in as a user at <code>@altostrat.com</code> (such as <code>laura@altostrat.com</code>).</p> <p>The following restrictions apply to the domains used in autogroups:</p> <ul> <li>The provided domain must not be a known shared domain (such as <code>gmail.com</code>).</li> <li>If a tailnet uses domain aliases, you must explicitly specify the aliased domains in the ACL. For example, if <code>example.io</code> is aliased to <code>example.com</code> and you want to include users from both <code>example.com</code> and <code>example.io</code>, use both <code>user:*@example.com</code> and <code>user:*@example.io</code>.</li> <li>Although the expressions use the wildcard <code>*</code>, it does not support arbitrary wildcards. For example, <code>user:b*b@example.com</code> will not match <code>bob@example.com</code>.</li> </ul> <span id="groups"></span> <h2 id="groups"><a class="group flex items-center gap-2" href="#groups"><span id="inner-text">Groups</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span>Groups are available for <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/pricing">the Personal, Personal Plus, Premium, and Enterprise plans</a>.</div> <p>The <code>groups</code> section lets you create groups of users, which you can use in access rules (instead of listing users out explicitly). Any change you make to the membership of a group propagates to all the rules that reference that group.</p> <p>The following example demonstrates creating an <code>engineering</code> group and a <code>sales</code> group.</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"groups"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"group:engineering"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token string">"dave@example.com"</span><span class="token punctuation">,</span> <span class="token string">"laura@example.com"</span><span class="token punctuation">,</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"group:sales"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token string">"brad@example.com"</span><span class="token punctuation">,</span> <span class="token string">"alice@example.com"</span><span class="token punctuation">,</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> </code></pre></div> <p>Every group name must start with the prefix <code>group:</code>. Each group member is specified by their full email address, as explained in the <a href="#reference-users">users section</a> above. To avoid the risk of obfuscating group membership, groups cannot contain other groups.</p> <p>You can add or remove a user's group membership by editing the tailnet policy file, as shown in the example <code>groups</code> definition above, and directly from the <a href="https://login.tailscale.com/admin/users"><strong>Users</strong></a> page of the admin console.</p> <h3 id="edit-a-users-group-membership-from-the-users-page"><a class="group flex items-center gap-2" href="#edit-a-users-group-membership-from-the-users-page"><span id="inner-text">Edit a user's group membership from the Users page</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>You must be an <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/kb/1138/user-roles">Owner, Admin, or Network admin</a> to edit a user's group membership from the <strong>Users</strong> page.</p> <ol> <li>Open the <a href="https://login.tailscale.com/admin/users"><strong>Users</strong></a> page in the admin console.</li> <li>Find the user by name.</li> <li>Select the <img alt="ellipsis icon" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" class="fa-icon !text-gray-400" style="color:transparent" src="/files/images/icons/fa-ellipsis-h.svg"/> menu > <strong>Edit group membership</strong>.</li> <li>In the <strong>Edit group membership</strong> dialog: <ol> <li>To add a group, select <strong>Add to a group</strong>, then the group to add.</li> <li>To remove a group, select the <strong>X</strong> next to the group to delete.</li> </ol> </li> <li>When you finish editing the groups for the user, select <strong>Save</strong>.</li> </ol> <h3 id="provisioned-groups"><a class="group flex items-center gap-2" href="#provisioned-groups"><span id="inner-text">Provisioned groups</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>You can create groups in your identity provider and sync them with Tailscale's ACLs with <a href="/kb/1290/user-group-provisioning#syncing-group-membership">user and group provisioning</a>.</p> <p>You can use the same human-readable group names in your identity provider to refer to groups in your tailnet policy file. The following example shows an access rule that manages access for the “security-team” group.</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token punctuation">{</span> <span class="token property">"acls"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"group:security-team@example.com"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"tag:logging:*"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"tagOwners"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"tag:logging"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"group:security-team@example.com"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> </code></pre></div> <p>You can only edit groups defined in ACLs. You can use groups synced from a System for Cross-domain Identity Management (SCIM) integration or tailnet autogroups, but you cannot edit them.</p> <h2 id="reference-multiple-devices"><a class="group flex items-center gap-2" href="#reference-multiple-devices"><span id="inner-text">Reference multiple devices</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <p>You can define access rules for sets of devices using tags or hosts. Tags let you define role-based access controls so that different services have different access rules. Hosts let you define controls based on a reference to an IP address.</p> <ul> <li>Tags reference groups of non-user devices (such as applications or servers). For example, you might have a tag that groups all servers in a particular data center.</li> <li>Hosts reference groups of devices by IP address ranges (both on and beyond the tailnet). For example, you can use hosts to address applications with fixed IP addresses that you might be unable to modify.</li> </ul> <span id="tags"></span> <h3 id="tags"><a class="group flex items-center gap-2" href="#tags"><span id="inner-text">Tags</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span>Tags are available for <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/pricing">all plans</a>.</div> <p>The <code>tags</code> section of the tailnet policy file lets you create <a href="/kb/1068/tags">tags</a> that group non-human devices. You can then use the tags to select these devices in an ACL.</p> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span><p>You must <a href="/kb/1068/tags#define-a-tag">define the tag</a> in the <a href="#tag-owners"><code>tagOwners</code></a> section of the tailnet policy file before using it in an ACL. To tag a device, <a href="/kb/1068/tags#apply-a-tag-to-a-device">authenticate as the tag on the device</a>.</p></div> <span id="hosts"></span> <h3 id="hosts"><a class="group flex items-center gap-2" href="#hosts"><span id="inner-text">Hosts</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span>Hosts are available for <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/pricing">all plans</a>.</div> <p>The <code>hosts</code> section lets you define a human-friendly name for an IP address or CIDR range.</p> <p>The following example shows two host definitions: one for a single IP address and one for a CIDR range.</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"hosts"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"example-host-1"</span><span class="token operator">:</span> <span class="token string">"198.51.100.100"</span><span class="token punctuation">,</span> <span class="token property">"example-network-1"</span><span class="token operator">:</span> <span class="token string">"198.51.100.0/24"</span><span class="token punctuation">,</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> </code></pre></div> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span><p>The human-friendly hostname cannot include the character <code>@</code>.</p></div> <span id="postures"></span> <h2 id="postures"><a class="group flex items-center gap-2" href="#postures"><span id="inner-text">Postures</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span>Postures are available for <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/pricing">all plans</a>.</div> <p>The <code>postures</code> section lets you define a set of <a href="/kb/1288/device-posture">device posture management</a> rules that a device must meet as part of a specific access rule.</p> <p>The following example shows how to use <code>postures</code> to select macOS devices running <code>node</code> version 1.40 or later.</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"postures"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"posture:latestMac"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token string">"node:os IN ['macos']"</span><span class="token punctuation">,</span> <span class="token string">"node:tsReleaseTrack == 'stable'"</span><span class="token punctuation">,</span> <span class="token string">"node:tsVersion >= '1.40'"</span><span class="token punctuation">,</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> </code></pre></div> <p>Each posture must start with the prefix <code>posture:</code> followed by a name, a set of <a href="/kb/1288/device-posture#device-posture-attributes">posture attributes</a>, and their allowed values, given as a list of strings.</p> <p>Refer to <a href="/kb/1288/device-posture">device posture management</a> for more information</p> <span id="tag-owners"></span> <h2 id="tag-owners"><a class="group flex items-center gap-2" href="#tag-owners"><span id="inner-text">Tag owners</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span>Tags are available for <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/pricing">all plans</a>.</div> <p>The <code>tagOwners</code> section of the tailnet policy file defines the tags assignable to devices and the list of users allowed to assign each tag.</p> <p>The following example shows a <code>tagOwners</code> definition that:</p> <ul> <li>Sets the <code>webserver</code> tag as the owner of the <code>engineering</code> group.</li> <li>Sets the <code>secure-server</code> tag as the owner of <code>president@example.com</code> and the <code>security-admins</code> group.</li> <li>Sets the <code>corp</code> tag as the owner of the <code>autogroup:member</code> autogroup.</li> </ul> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"tagOwners"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"tag:webserver"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token string">"group:engineering"</span><span class="token punctuation">,</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"tag:secure-server"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token string">"group:security-admins"</span><span class="token punctuation">,</span> <span class="token string">"president@example.com"</span><span class="token punctuation">,</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"tag:corp"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token string">"autogroup:member"</span><span class="token punctuation">,</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token punctuation">}</span> </code></pre></div> <p>Every tag name must start with the prefix <code>tag:</code>. A tag owner can be a user's full login email address (as defined in the <a href="#reference-users">users section</a> above), a <a href="#groups">group name</a>, an <a href="#autogroups">autogroup</a>, or another tag.</p> <p>A shorthand notation, <code>[]</code>, is available for <code>autogroup:admin</code>. That is, the following are equivalent:</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"tag:monitoring"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token string">"autogroup:admin"</span><span class="token punctuation">,</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> </code></pre></div> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"tag:monitoring"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token punctuation">,</span> </code></pre></div> <p>The autogroups <code>autogroup:admin</code> and <code>autogroup:network-admin</code> can assign all tags, so <code>[]</code> implicitly allows only <code>autogroup:admin</code> and <code>autogroup:network-admin</code>.</p> <span id="autoapprovers"></span> <h2 id="auto-approvers"><a class="group flex items-center gap-2" href="#auto-approvers"><span id="inner-text">Auto approvers</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span>Auto approvers are available for <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/pricing">all plans</a>.</div> <p>The <code>autoApprovers</code> section of the tailnet policy file defines the list of users who can perform specific actions without further approval from the admin console. Some actions in Tailscale require double opt-in: an <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/kb/1138/user-roles">Admin</a> must enable them on the device running Tailscale and in the Tailscale admin console. These actions include:</p> <ul> <li><a href="/kb/1019/subnets/connect-to-tailscale-as-a-subnet-router">Advertising a specified set of routes</a> as a subnet router.</li> <li><a href="/kb/1103/exit-nodes#advertise-a-device-as-an-exit-node">Advertising an exit node</a>.</li> </ul> <p>For routes, this also permits the auto approvers to advertise a subnet of the specified routes.</p> <p>Tailscale stops advertising a route if one of the following occurs:</p> <ul> <li>The device is re-authenticated by a different user (who cannot advertise the route or exit node).</li> <li>The user who advertised the route is suspended or deleted.</li> </ul> <p>To avoid a scenario where Tailscale stops advertising a route, consider using a <a href="/kb/1068/tags">tag</a> as an auto approver.</p> <p>The following example shows an <code>autoApprovers</code> definition that automatically approves the <code>192.0.2.0/24</code> routes for <code>alice@example.com</code>, members of the <code>engineering</code> group, and devices tagged with <code>foo</code>. It also automatically allows devices tagged with <code>foo</code> to use an exit node.</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"autoApprovers"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"routes"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"192.0.2.0/24"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"group:engineering"</span><span class="token punctuation">,</span> <span class="token string">"alice@example.com"</span><span class="token punctuation">,</span> <span class="token string">"tag:foo"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token property">"exitNode"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"tag:bar"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token punctuation">}</span> </code></pre></div> <p>The auto approver of a route or exit node can be a user's full login email address (as defined in the <a href="#reference-users">users section</a> above), a <a href="#groups">group name</a>, an <a href="#autogroups">autogroup</a> or a tag.</p> <span id="ssh"></span> <h2 id="tailscale-ssh"><a class="group flex items-center gap-2" href="#tailscale-ssh"><span id="inner-text">Tailscale SSH</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span>Tailscale SSH is available for <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/pricing">the Personal, Personal Plus, Premium, and Enterprise plans</a>.</div> <p>The <code>ssh</code> section of the tailnet policy file defines lists of users and devices that can use <a href="/kb/1193/tailscale-ssh">Tailscale SSH</a> (and the SSH users). To allow a connection, the tailnet policy file must contain rules permitting both network access and SSH access:</p> <ol> <li>An access rule to allow connections from the source to the destination on port 22.</li> <li>An SSH access rule to allow connections from the source to the destination and the given SSH users. Tailscale SSH uses this to distribute keys to authenticating SSH connections.</li> </ol> <p>The following example shows an <code>ssh</code> definition that requires a list of sources, destinations, and SSH users to re-authenticate every 20 hours.</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"check"</span><span class="token punctuation">,</span> <span class="token comment">// "accept" or "check"</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <list-of-sources> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <list-of-destinations> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"users"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <list-of-ssh-users> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"checkPeriod"</span><span class="token operator">:</span> <span class="token string">"20h"</span><span class="token punctuation">,</span> <span class="token comment">// optional, only for check actions. default 12h</span> <span class="token property">"acceptEnv"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token string">"GIT_EDITOR"</span><span class="token punctuation">,</span> <span class="token string">"GIT_COMMITTER_*"</span><span class="token punctuation">,</span> <span class="token string">"CUSTOM_VAR_V?"</span> <span class="token punctuation">]</span> <span class="token comment">// optional, allowlists environment variables that can be forwarded from clients to the host</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> </code></pre></div> <h3 id="action-1"><a class="group flex items-center gap-2" href="#action-1"><span id="inner-text"><code>action</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies whether to accept the connection or to perform additional checks on it.</p> <ul> <li><code>accept</code> accepts connections from users already authenticated in the tailnet.</li> <li><code>check</code> requires users to periodically reauthenticate according to the <code>checkPeriod</code>.</li> </ul> <h3 id="src-1"><a class="group flex items-center gap-2" href="#src-1"><span id="inner-text"><code>src</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies the source (where a connection originates from). You can only define an access rule's destination (<code>dst</code>) as yourself, a group, a tag, or an autogroup. You cannot use <code>*</code>, other users, IP addresses, or hostnames.</p> <p>It's impossible to guarantee the ownership of an IP address or hostname when you create an access rule. As a security measure, Tailscale prevents using users, IP addresses, or hostnames in the <code>dst</code> field of access rules to protect against scenarios in which one user can unintentionally access a device that doesn't belong to them. Tailscale also prevents any <code>src</code> and <code>dst</code> combinations that allow multiple users to access a single user's device.</p> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span><p>Granting access to <code>autogroup:members</code> also allows access to <a href="/kb/1271/invite-any-user">external invited users</a> if the destination device is <a href="/kb/1084/sharing">shared</a> with them, even if they have no devices in your tailnet.</p></div> <h3 id="dst-1"><a class="group flex items-center gap-2" href="#dst-1"><span id="inner-text"><code>dst</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies the destination (where the connection goes). The destination can be a user, tag, or autogroup. Unlike ACLs, you cannot specify a port because only port <code>22</code> is allowed. You cannot <code>*</code> as the destination.</p> <h3 id="users"><a class="group flex items-center gap-2" href="#users"><span id="inner-text"><code>users</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies the set of allowed usernames on the host. Tailscale only uses user accounts that already exist on the host.</p> <ul> <li>Specify <code>autogroup:nonroot</code> to allow any user that is not <code>root</code>.</li> <li>Specify <code>localpart:*@<domain></code> to allow the user on the host whose name matches the <a href="https://datatracker.ietf.org/doc/html/rfc2822#section-3.4.1">local-part</a> of the user's login, if and only if the user's login email is in <code><domain></code>. Tailscale does not do any special processing on the local-part. For example, if the login is <code>dave+sshuser@example.com</code>, Tailscale will map this to the ssh user <code>dave+sshuser</code>.</li> <li>If no user is specified, Tailscale will use the local host’s user. That is, if the user is logged in as <code>alice</code> locally, then connects with SSH to another device, Tailscale SSH will try to log in as user <code>alice</code>.</li> </ul> <h3 id="checkperiod"><a class="group flex items-center gap-2" href="#checkperiod"><span id="inner-text"><code>checkPeriod</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>When <code>action</code> is <code>check</code>, <code>checkPeriod</code> specifies the time period for which to allow a connection before requiring a check. You can specify the time in minutes or hours. The time must be at least one minute and at most 168 hours (one week).</p> <ul> <li>The default check period is 12 hours.</li> <li>You can also specify <code>always</code> to require a check on every connection. Using <code>always</code> might cause unexpected behavior with automation tools that open many SSH connections in quick succession (such as <a href="https://ansible.com">Ansible</a>).</li> </ul> <h3 id="acceptenv"><a class="group flex items-center gap-2" href="#acceptenv"><span id="inner-text"><code>acceptEnv</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span><p>The host must be running Tailscale v1.76.0 or later to use <code>acceptEnv</code>.</p></div> <p>Specifies the set of allowlisted environment variable names that clients can send to the host using <a href="https://man.openbsd.org/ssh_config#SendEnv"><code>SendEnv</code></a> or <a href="https://man.openbsd.org/ssh_config#SetEnv"><code>SetEnv</code></a>.</p> <p>Values can contain <code>*</code> and <code>?</code> wildcard characters. <code>*</code> matches zero or more characters and <code>?</code> matches a single character.</p> <h4 id="acceptenv-examples"><a class="group flex items-center gap-2" href="#acceptenv-examples"><span id="inner-text"><code>acceptEnv</code> examples</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h4> <table><thead><tr><th>acceptEnv</th><th>Permitted</th><th>Rejected</th></tr></thead><tbody><tr><td><code>*</code></td><td><code>FOO_A</code> <code>FOO_B</code> <code>FOO_OTHER</code> <code>BAZ</code></td><td></td></tr><tr><td><code>FOO_*</code></td><td><code>FOO_A</code> <code>FOO_B</code> <code>FOO_OTHER</code></td><td><code>BAZ</code></td></tr><tr><td><code>FOO_?</code></td><td><code>FOO_A</code> <code>FOO_B</code></td><td><code>FOO_OTHER</code> <code>BAZ</code></td></tr><tr><td><code>FOO_A</code></td><td><code>FOO_A</code></td><td><code>FOO_B</code> <code>FOO_OTHER</code> <code>BAZ</code></td></tr></tbody></table> <h3 id="order-of-evaluation"><a class="group flex items-center gap-2" href="#order-of-evaluation"><span id="inner-text">Order of evaluation</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Tailscale evaluates SSH access rules using the most restrictive policies first:</p> <ul> <li>Check policies</li> <li>Accept policies</li> </ul> <p>For example, if you have an access rule allowing the user <code>alice@example.com</code> to access a resource with an <code>accept</code> rule, and a rule allowing <code>group:devops</code> which <code>alice@example.com</code> belongs to, to access a resource with a <code>check</code> rule, then the <code>check</code> rule applies.</p> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span><p>Tailnets that have not modified their ACLs have a <a href="/kb/1193/tailscale-ssh#ssh-access-rules-in-default-acl">default SSH policy</a> allowing users to access devices they own using check mode.</p></div> <p>The only types of connections that are allowed are:</p> <ul> <li>From a user to their own devices (as any user, including <code>root</code>).</li> <li>From a user to a <a href="/kb/1068/tags">tagged</a> device (as any user, including <code>root</code>).</li> <li>From a tagged device to another tagged device (for any tags). An SSH access rule from a tagged device cannot be in <a href="/kb/1193/tailscale-ssh#configure-tailscale-ssh-with-check-mode">check mode</a>.</li> <li>From a user to a tagged device that has been <a href="/kb/1084/sharing">shared</a> with them, as long as the destination host has Tailscale configured with SSH and the destination’s ACL allows the user to connect over SSH.</li> </ul> <p>That is, the broadest policy allowed would be:</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token punctuation">{</span> <span class="token property">"acls"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"*"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"*:*"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"ssh"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"autogroup:member"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"autogroup:self"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"users"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">"autogroup:nonroot"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"autogroup:member"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"tag:prod"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"users"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">"autogroup:nonroot"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"tag:logging"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"tag:prod"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"users"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">"autogroup:nonroot"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span> <span class="token punctuation">}</span> </code></pre></div> <p>To allow a user to only SSH to their own devices (as non-<code>root</code>):</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token punctuation">{</span> <span class="token property">"acls"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"*"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"*:*"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"ssh"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"autogroup:member"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"autogroup:self"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"users"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"autogroup:nonroot"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span> <span class="token punctuation">}</span> </code></pre></div> <p>To allow <code>group:sre</code> to access devices in the production environment tagged <code>tag:prod</code>:</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token punctuation">{</span> <span class="token property">"groups"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"group:sre"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"alice@example.com"</span><span class="token punctuation">,</span> <span class="token string">"bob@example.com"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token property">"acls"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"group:sre"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"tag:prod:*"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"ssh"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"group:sre"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"tag:prod"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"users"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"ubuntu"</span><span class="token punctuation">,</span> <span class="token string">"root"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token punctuation">]</span> <span class="token property">"tagOwners"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token comment">// users in group:sre can apply the tag tag:prod</span> <span class="token property">"tag:prod"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"group:sre"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> </code></pre></div> <p>To allow Alice to access devices in the development environment tagged <code>tag:dev</code> that have been <a href="/kb/1084/sharing">shared</a> with them:</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token punctuation">{</span> <span class="token property">"ssh"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"alice@example.com"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"tag:dev"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"users"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">"alice"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token punctuation">]</span> <span class="token punctuation">}</span> </code></pre></div> <p>It might be useful to match host users with login emails. For example, you can allow <code>dave@example.com</code> to authenticate as the host user <code>dave</code>.</p> <p>To allow any tailnet member in the login domain <code>example.com</code> to access devices in the production environment that are tagged <code>tag:prod</code>, as a user that matches their login email local-part:</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token punctuation">{</span> <span class="token property">"acls"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"user:*@example.com"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"tag:prod:*"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"ssh"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"action"</span><span class="token operator">:</span> <span class="token string">"accept"</span><span class="token punctuation">,</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"user:*@example.com"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"tag:prod"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"users"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"localpart:*@example.com"</span><span class="token punctuation">]</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span> <span class="token punctuation">}</span> </code></pre></div> <span id="nodeattrs"></span> <h2 id="node-attributes"><a class="group flex items-center gap-2" href="#node-attributes"><span id="inner-text">Node attributes</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <p>The <code>nodeAttrs</code> section of the tailnet policy file defines additional attributes that apply to specific devices in your tailnet. You can use node attributes to set different <a href="/kb/1218/nextdns">NextDNS configurations</a> for different devices in your tailnet.</p> <p>The following example shows a <code>nodeAttrs</code> definition that targets <code>my-kid@my-home.com</code> and <code>tag:server</code> with the attributes <code>nextdns:abc123</code> and <code>nextdns:no-device-info</code>.</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"nodeAttrs"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"target"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"my-kid@my-home.com"</span><span class="token punctuation">,</span> <span class="token string">"tag:server"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"attr"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token string">"nextdns:abc123"</span><span class="token punctuation">,</span> <span class="token string">"nextdns:no-device-info"</span><span class="token punctuation">,</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> </code></pre></div> <h3 id="target"><a class="group flex items-center gap-2" href="#target"><span id="inner-text"><code>target</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies which nodes (devices) the attributes apply to. You can select the devices using a tag (<code>tag:server</code>), user (<code>alice@example.com</code>), group (<code>group:kids</code>), or <code>*</code>.</p> <h3 id="attr"><a class="group flex items-center gap-2" href="#attr"><span id="inner-text"><code>attr</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies which attributes apply to those nodes (devices).</p> <p>For example:</p> <ul> <li>The attribute <code>nextdns:abc123</code> specifics the NextDNS configuration ID <code>abc123</code>. If this is used, the attribute overrides the global NextDNS configuration.</li> <li>The attribute <code>nextdns:no-device-info</code> disables sending device metadata to NextDNS.</li> </ul> <p>The following example allows members of the tailnet to use <a href="/kb/1223/funnel">Tailscale Funnel</a> on their nodes:</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"nodeAttrs"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"target"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"autogroup:members"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"attr"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"funnel"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> </code></pre></div> <span id="tests"></span> <h2 id="tests"><a class="group flex items-center gap-2" href="#tests"><span id="inner-text">Tests</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span>ACL tests are available for <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/pricing">all plans</a>.</div> <p>The <code>tests</code> section lets you write assertions about your access rules that run as checks each time the tailnet policy file changes. If an assertion fails, the Tailscale rejects the updated tailnet policy file with an error. The error message indicates the failing tests.</p> <p>ACL tests let you ensure you don't accidentally revoke important permissions or expose a critical system.</p> <p>A <code>tests</code> definition looks like this:</p> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"tests"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token string">"dave@example.com"</span><span class="token punctuation">,</span> <span class="token property">"srcPostureAttrs"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"node:os"</span><span class="token operator">:</span> <span class="token string">"windows"</span><span class="token punctuation">,</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token property">"proto"</span><span class="token operator">:</span> <span class="token string">"tcp"</span><span class="token punctuation">,</span> <span class="token property">"accept"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"example-host-1:22"</span><span class="token punctuation">,</span> <span class="token string">"vega:80"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"deny"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"192.0.2.3:443"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> </code></pre></div> <h3 id="src-2"><a class="group flex items-center gap-2" href="#src-2"><span id="inner-text"><code>src</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies the user identity to test, which can be a <a href="#reference-users">user's email address</a>, a <a href="#groups">group</a>, a <a href="/kb/1068/tags">tag</a>, or a <a href="#hosts">host</a> that maps to an IP address. The test case runs from the perspective of a device authenticated with the provided identity.</p> <h3 id="srcpostureattrs"><a class="group flex items-center gap-2" href="#srcpostureattrs"><span id="inner-text"><code>srcPostureAttrs</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies the <a href="/kb/1288/device-posture">device posture attributes</a> as key-value pairs to use when evaluating posture conditions in access rules. You only need to use this field if the access rules contain <a href="/kb/1288/device-posture#device-posture-conditions">device posture conditions</a>.</p> <h3 id="proto-1"><a class="group flex items-center gap-2" href="#proto-1"><span id="inner-text"><code>proto</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies the IP protocol for <code>accept</code> and <code>deny</code> rules, similar to the <code>proto</code> field in <a href="#acls">ACL rules</a>. When omitted, the test checks for either TCP or UDP access.</p> <h3 id="accept-and-deny-destinations"><a class="group flex items-center gap-2" href="#accept-and-deny-destinations"><span id="inner-text"><code>accept</code> and <code>deny</code> destinations</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies destinations to accept or deny. Each destination in the list is of the form <code>host:port</code> where <code>port</code> is a single numeric port and <code>host</code> is one of the following:</p> <table class="w-full"><thead><tr><th><strong>Type</strong></th><th><strong>Example</strong></th><th><strong>Description</strong></th></tr></thead><tbody class="fs-small"><tr><td>Tailscale IP</td><td><code>100.101.102.103</code></td><td>Includes the device with the provided Tailscale IP address. IPv6 addresses must follow the format <code>[1:2:3::4]:80</code>.</td></tr><tr><td><a href="#hosts">Host</a></td><td><code>my-host</code></td><td>Includes the Tailscale IP address in the <code>hosts</code> section.</td></tr><tr><td>User</td><td><code>shreya@example.com</code></td><td>Includes the Tailscale IP addresses of devices signed in as the provided user.</td></tr><tr><td><a href="#groups">Group</a></td><td><code>group:security@example.com</code></td><td>Includes the Tailscale IP addresses of devices signed in as a representative member of the provided group.</td></tr><tr><td><a href="/kb/1068/tags">Tag</a></td><td><code>tag:production</code></td><td>Includes the Tailscale IP addresses of devices tagged with the provided tag.</td></tr></tbody></table> <p>Sources in <code>src</code> and destinations in <code>accept</code> and <code>deny</code> must refer to specific entities and do not support <code>*</code> wildcards. For example, an <code>accept</code> destination cannot be <code>tags:*</code>.</p> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span><p>The legacy <code>allow</code> (instead of <code>accept</code>) continues to work in ACLs. However, it is best practice to use <code>accept</code>.</p></div> <span id="sshtests"></span> <h2 id="ssh-tests"><a class="group flex items-center gap-2" href="#ssh-tests"><span id="inner-text">SSH Tests</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span>SSH tests are available for <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/pricing">all plans</a>.</div> <p>The <code>sshTests</code> section lets you write assertions about your <a href="/kb/1193/tailscale-ssh">Tailscale SSH</a> access rules. SSH tests function similarly to ACL <a href="#tests">tests</a>.</p> <p>SSH tests run when the tailnet policy file changes. If an assertion fails, Tailscale rejects the updated tailnet policy file with an error detailing the failing tests.</p> <p>The following example shows a <code>sshTests</code> definition performs the following tests on connections from <code>dave@example.com</code> to <code>example-host-1</code>:</p> <ul> <li>If the user is <code>dave</code>, it accepts the connection.</li> <li>If the user is <code>admin</code>, it checks the connection.</li> <li>If the user is <code>root</code>, it denies the connection.</li> </ul> <div class="group relative overflow-hidden"><div class="absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100"><button type="button" aria-label="copy"><svg width="17" height="17" viewBox="0 0 17 17" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12.8333 9.91667H14.0833C15.0038 9.91667 15.75 9.1705 15.75 8.25V2.41667C15.75 1.49619 15.0038 0.75 14.0833 0.75H8.25C7.3295 0.75 6.58333 1.49619 6.58333 2.41667V3.66667M2.41667 6.58333H8.25C9.1705 6.58333 9.91667 7.3295 9.91667 8.25V14.0833C9.91667 15.0038 9.1705 15.75 8.25 15.75H2.41667C1.49619 15.75 0.75 15.0038 0.75 14.0833V8.25C0.75 7.3295 1.49619 6.58333 2.41667 6.58333Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path></svg></button></div><pre class="refractor language-json"><code class="language-json"><span class="token property">"sshTests"</span><span class="token operator">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{</span> <span class="token property">"src"</span><span class="token operator">:</span> <span class="token string">"dave@example.com"</span><span class="token punctuation">,</span> <span class="token property">"dst"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"example-host-1"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"accept"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"dave"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"check"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"admin"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token property">"deny"</span><span class="token operator">:</span> <span class="token punctuation">[</span><span class="token string">"root"</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token punctuation">]</span><span class="token punctuation">,</span> </code></pre></div> <h3 id="src-3"><a class="group flex items-center gap-2" href="#src-3"><span id="inner-text"><code>src</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies the user identity that's attempting to connect as SSH, which can be a <a href="#reference-users">user's email address</a>, a <a href="#groups">group</a>, a <a href="/kb/1068/tags">tag</a>, or a <a href="#hosts">host</a> that maps to an IP address. The test case runs from the perspective of a device authenticated with the provided identity.</p> <h3 id="dst-2"><a class="group flex items-center gap-2" href="#dst-2"><span id="inner-text"><code>dst</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies one or more destinations to which the <code>src</code> user is connecting, which can be a <a href="#reference-users">user's email address</a>, a <a href="#groups">group</a>, a <a href="/kb/1068/tags">tag</a>, or a <a href="#hosts">host</a> that maps to an IP address.</p> <h3 id="accept"><a class="group flex items-center gap-2" href="#accept"><span id="inner-text"><code>accept</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies zero, one, or more usernames to disallow on the <code>dst</code> host without requiring an additional check. Refer to <a href="#action-1">action <code>accept</code></a>.</p> <h3 id="check"><a class="group flex items-center gap-2" href="#check"><span id="inner-text"><code>check</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies zero, one, or more usernames to disallow on the <code>dst</code> host if the <code>src</code> user passes an additional check. Refer to <a href="#action-1">action <code>check</code></a>.</p> <h3 id="deny"><a class="group flex items-center gap-2" href="#deny"><span id="inner-text"><code>deny</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>Specifies zero, one, or more usernames to disallow on the <code>dst</code> host (under any circumstances).</p> <span id="ipsets"></span> <h2 id="ip-sets"><a class="group flex items-center gap-2" href="#ip-sets"><span id="inner-text">IP sets</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <p>An IP set is a way to manage groups of IP addresses. It can encapsulate a collection of IP addresses, CIDRs, hosts, autogroups, and other IP sets. The primary benefit of IP sets is that they let you group multiple network parts into a single collection, enabling you to apply access control policies to the collection rather than the individual IP addresses, hosts, or subnets.</p> <p>Refer to the <a href="/kb/1387/ipsets">IP sets documentation</a>.</p> <h2 id="network-policy-options"><a class="group flex items-center gap-2" href="#network-policy-options"><span id="inner-text">Network policy options</span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h2> <div class="note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm"><span class="absolute left-3 top-3 inline-block h-[18px] w-[18px]"><svg xmlns="http://www.w3.org/2000/svg" width="18px" height="18px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg></span>Network policy options are available for <a class="!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline" href="/pricing">all plans</a>.</div> <p>In addition to access rules, the tailnet policy file includes a few network-wide policy settings for specialized purposes. Most networks should never need to specify these.</p> <h3 id="derpmap"><a class="group flex items-center gap-2" href="#derpmap"><span id="inner-text"><code>derpMap</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>The <code>derpMap</code> section lets you add <a href="/kb/1118/custom-derp-servers">custom DERP `servers</a> to your network, which your devices will use as needed to relay traffic. You can also use this section to disable using Tailscale-provided DERP servers. For example, you might want to disable tailnet-provided DERP servers to meet corporate compliance requirements. Refer to <a href="/kb/1118/custom-derp-servers">running custom DERP servers</a> for more information.</p> <h3 id="disableipv4"><a class="group flex items-center gap-2" href="#disableipv4"><span id="inner-text"><code>disableIPv4</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>The <code>disableIPv4</code> field (if set to <code>true</code>) stops assigning Tailscale IPv4 addresses to your devices. When IPv4 is disabled, all devices in your network receive exclusively IPv6 Tailscale addresses. Devices that do not support IPv6 (for example, systems that have IPv6 disabled in the operating system) will be unreachable. This option is intended for users with a pre-existing conflicting use of the <code>100.64.0.0/10</code> carrier-grade NAT address range.</p> <h3 id="onecgnatroute"><a class="group flex items-center gap-2" href="#onecgnatroute"><span id="inner-text"><code>OneCGNATRoute</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>The <code>OneCGNATRoute</code> field controls the routes that Tailscale clients generate.</p> <p>Tailscale clients can have either:</p> <ul> <li>One large <code>100.64/10</code> route to avoid churn in the routing table as devices go online and offline. (The churn is <a href="https://bugs.chromium.org/p/chromium/issues/detail?id=1076619">disruptive</a> to Chromium-based browsers on macOS.)</li> <li>Fine-grained <code>/32</code> routes.</li> </ul> <p>The possible values for <code>OneCGNATRoute</code> are:</p> <ul> <li>An empty string or not provided: Use default heuristics for each platform. <ul> <li>For all platforms (other than macOS), Tailscale adds fine-grained <code>/32</code> routes for each device.</li> <li>On macOS (for Tailscale v1.28 or later), Tailscale adds one <code>100.64/10</code> route. Tailscale won't use one <code>100.64/10</code> route if other interfaces also route IP addresses in that range.</li> </ul> </li> <li><code>"mac-always"</code>: macOS clients always add one <code>100.64/10</code> route.</li> <li><code>"mac-never"</code>: macOS clients always add fine-grained <code>/32</code> routes.</li> </ul> <h3 id="randomizeclientport"><a class="group flex items-center gap-2" href="#randomizeclientport"><span id="inner-text"><code>randomizeClientPort</code></span><span aria-hidden="true" class="inline-block opacity-0 transition-opacity duration-150 group-hover:opacity-100"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link-2"><path d="M15 7h3a5 5 0 0 1 5 5 5 5 0 0 1-5 5h-3m-6 0H6a5 5 0 0 1-5-5 5 5 0 0 1 5-5h3"></path><line x1="8" y1="12" x2="16" y2="12"></line></svg></span></a></h3> <p>The <code>randomizeClientPort</code> field (if set to <code>true</code>) makes devices prefer a random port for WireGuard traffic over the default static port <code>41641</code>. You should only use the <code>randomizeClientPort</code> field as a workaround for some buggy firewall devices after consulting with Tailscale (<a href="/contact/support">support</a>).</p></div></article><p class="mt-6 text-sm leading-snug text-gray-600">Last updated Feb 24, 2025</p></div></div><aside class="js-docHighlight col-span-10 h-full pb-8 md:col-span-8 md:col-start-4 xl:col-span-2 xl:col-start-auto"><div class="sticky top-16 flex flex-col gap-8"><div class="flex flex-col gap-2"><div class="tracking-wider text-xs font-semibold uppercase">On this page</div><ul class="flex flex-col gap-1 pt-1 leading-tight"><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#access-rules">Access rules</a><ul class="flex flex-col gap-1 pt-1 leading-tight pl-4"><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#action">action</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#src">src</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#proto">proto</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#dst">dst</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#subnet-routers-and-exit-nodes">Subnet routers and exit nodes</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#taildrop-precedence">Taildrop precedence</a></li></ul></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#grants">Grants</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#reference-users">Reference users</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#autogroups">Autogroups</a><ul class="flex flex-col gap-1 pt-1 leading-tight pl-4"><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#domain-based-autogroups">Domain based autogroups</a></li></ul></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#groups">Groups</a><ul class="flex flex-col gap-1 pt-1 leading-tight pl-4"><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#edit-a-users-group-membership-from-the-users-page">Edit a user's group membership from the Users page</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#provisioned-groups">Provisioned groups</a></li></ul></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#reference-multiple-devices">Reference multiple devices</a><ul class="flex flex-col gap-1 pt-1 leading-tight pl-4"><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#tags">Tags</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#hosts">Hosts</a></li></ul></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#postures">Postures</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#tag-owners">Tag owners</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#auto-approvers">Auto approvers</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#tailscale-ssh">Tailscale SSH</a><ul class="flex flex-col gap-1 pt-1 leading-tight pl-4"><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#action-1">action</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#src-1">src</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#dst-1">dst</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#users">users</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#checkperiod">checkPeriod</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#acceptenv">acceptEnv</a><ul class="flex flex-col gap-1 pt-1 leading-tight pl-4"><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#acceptenv-examples">acceptEnv examples</a></li></ul></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#order-of-evaluation">Order of evaluation</a></li></ul></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#node-attributes">Node attributes</a><ul class="flex flex-col gap-1 pt-1 leading-tight pl-4"><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#target">target</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#attr">attr</a></li></ul></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#tests">Tests</a><ul class="flex flex-col gap-1 pt-1 leading-tight pl-4"><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#src-2">src</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#srcpostureattrs">srcPostureAttrs</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#proto-1">proto</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#accept-and-deny-destinations">accept and deny destinations</a></li></ul></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#ssh-tests">SSH Tests</a><ul class="flex flex-col gap-1 pt-1 leading-tight pl-4"><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#src-3">src</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#dst-2">dst</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#accept">accept</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#check">check</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#deny">deny</a></li></ul></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#ip-sets">IP sets</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#network-policy-options">Network policy options</a><ul class="flex flex-col gap-1 pt-1 leading-tight pl-4"><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#derpmap">derpMap</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#disableipv4">disableIPv4</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#onecgnatroute">OneCGNATRoute</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="#randomizeclientport">randomizeClientPort</a></li></ul></li></ul></div><div class="flex flex-col gap-2"><div class="tracking-wider text-xs font-semibold uppercase">Related Pages</div><ul class="flex flex-col gap-1 leading-tight"><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="/kb/1018/acls">Manage permissions using ACLs</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="/kb/1068/tags">Group devices with tags</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="/kb/1072/client-preferences">Manage client preferences</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="/kb/1099/device-approval">Device approval</a></li><li><a class="text-sm !text-gray-500 transition-colors hover:!text-gray-900" href="/kb/1192/acl-samples">ACL policy samples</a></li></ul></div></div></aside></div></main><footer class=" pb-16 md:pb-28 md:pt-20 "><div class="container grid gap-x-4 gap-y-8 pb-8 xxs:grid-cols-2 sm:grid-cols-3 sm:gap-5 md:pb-[110px] lg:grid-cols-6"><div><p class="t-16 !leading-[1.05] text-heading-black">Product</p><div class="mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4"><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/blog/how-tailscale-works">How it works</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/pricing">Pricing</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/integrations">Integrations</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/features">Features</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/compare">Compare Tailscale</a></div></div><div><p class="t-16 !leading-[1.05] text-heading-black">Use Cases</p><div class="mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4"><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/use-cases/business-vpn">Business VPN</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/use-cases/remote-access">Remote Access</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/use-cases/site-to-site-networking">Site-to-Site Networking</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/use-cases/homelab">Homelab</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/enterprise">Enterprise</a></div></div><div><p class="t-16 !leading-[1.05] text-heading-black">Resources</p><div class="mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4"><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/blog">Blog</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/events-webinars">Events & Webinars</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/partnerships">Partnerships</a></div></div><div><p class="t-16 !leading-[1.05] text-heading-black">Company</p><div class="mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4"><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/company">Company</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/careers">Careers</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/press">Press</a></div></div><div><p class="t-16 !leading-[1.05] text-heading-black">Help & Support</p><div class="mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4"><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/contact/support">Support</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/contact/sales">Sales</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/security">Security</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/legal">Legal</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/opensource">Open Source</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/changelog">Changelog</a></div></div><div><p class="t-16 !leading-[1.05] text-heading-black">Learn</p><div class="mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4"><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn/generate-ssh-keys">SSH keys</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn/ssh-into-docker-container">Docker SSH</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn/devsecops">DevSecOps</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn/multicloud">Multicloud</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/blog/how-nat-traversal-works">NAT Traversal</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/blog/2021-09-private-dns-with-magicdns">MagicDNS</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn/privileged-access-management">PAM</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn/principle-of-least-privilege">PoLP</a><a class="text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100" href="/learn">All articles</a></div></div></div><div class="container"><div class="grid grid-cols-1 gap-x-5 gap-y-8 border-t border-stroke-grey pt-8 xxs:grid-cols-2 md:grid-cols-12 md:pt-[70px] lg:gap-y-[60px]"><div class="xxs:col-span-2 md:col-span-4"><a class="block w-[160px]" title="Homepage" data-track="Link Clicked" data-track-properties="{"label": "Footer logo"}" href="/"><svg class="transition-colors duration-200 " width="100%" height="100%" viewBox="0 0 110 20" fill="none" xmlns="http://www.w3.org/2000/svg"><ellipse cx="2.44719" cy="10.1796" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse cx="9.79094" cy="10.1796" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="2.44719" cy="17.5077" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="17.1269" cy="17.5077" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse cx="9.79094" cy="17.5077" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse cx="17.1269" cy="10.1796" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="2.44719" cy="2.85924" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="9.79094" cy="2.85924" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><ellipse opacity="0.2" cx="17.1269" cy="2.85924" rx="2.44719" ry="2.44128" fill="#242424"></ellipse><path d="M34.3979 18.458C35.0907 18.458 35.6536 18.3933 36.3248 18.2637V15.7584C35.9134 15.9096 35.4588 15.9528 35.0258 15.9528C33.965 15.9528 33.5753 15.4344 33.5753 14.441V9.34402H36.3248V6.83875H33.5753V3.12403H30.5443V6.83875H28.5742V9.34402H30.5443V14.7217C30.5443 17.0974 31.8 18.458 34.3979 18.458Z" fill="#242424"></path><path d="M41.2747 18.458C42.8984 18.458 43.9809 17.9181 44.5222 17.0758C44.5655 17.443 44.6954 17.9397 44.8686 18.2421H47.5964C47.4449 17.7237 47.3366 16.903 47.3366 16.3631V10.4455C47.3366 8.005 45.583 6.62277 42.617 6.62277C40.3654 6.62277 38.6118 7.46507 37.6376 8.69611L39.3696 10.4023C40.149 9.5384 41.1448 9.08486 42.3572 9.08486C43.8294 9.08486 44.4789 9.58159 44.4789 10.3159C44.4789 10.9422 44.0459 11.3742 41.7077 11.3742C39.4562 11.3742 37.183 12.3028 37.183 14.8945C37.183 17.2918 38.9149 18.458 41.2747 18.458ZM41.8809 16.1687C40.7118 16.1687 40.1706 15.672 40.1706 14.7865C40.1706 14.009 40.8201 13.4907 41.9026 13.4907C43.6345 13.4907 44.1108 13.3827 44.4789 13.0155V13.9442C44.4789 15.1753 43.4397 16.1687 41.8809 16.1687Z" fill="#242424"></path><path d="M49.3069 5.39173H52.4677V2.5625H49.3069V5.39173ZM49.3718 18.2421H52.4028V6.83875H49.3718V18.2421Z" fill="#242424"></path><path d="M54.6109 18.2421H57.6418V2.90805H54.6109V18.2421Z" fill="#242424"></path><path d="M63.9416 18.458C67.2757 18.458 68.986 16.7087 68.986 14.8729C68.986 13.2099 68.1417 11.9789 65.3705 11.4821C63.4221 11.1366 62.2097 10.7046 62.2097 10.0351C62.2097 9.45201 62.9025 9.04166 64.0715 9.04166C65.1107 9.04166 65.9767 9.38722 66.6262 10.1431L68.553 8.52333C67.5788 7.31389 65.9767 6.62277 64.0715 6.62277C61.1489 6.62277 59.3303 8.17777 59.3303 10.0783C59.3303 12.1517 61.2354 13.0803 63.2922 13.4475C65.0025 13.7499 65.9551 14.0738 65.9551 14.8081C65.9551 15.4344 65.2839 15.9528 64.0066 15.9528C62.7509 15.9528 61.7767 15.3696 61.322 14.5058L58.7674 15.7152C59.3952 17.2702 61.5385 18.458 63.9416 18.458Z" fill="#242424"></path><path d="M75.7621 18.458C77.9271 18.458 79.4859 17.5942 80.6549 15.6504L78.2302 14.4194C77.7755 15.3265 77.0395 15.9528 75.7621 15.9528C73.8353 15.9528 72.7961 14.3978 72.7961 12.5188C72.7961 10.6399 73.9003 9.12805 75.7621 9.12805C76.9312 9.12805 77.7106 9.75437 78.1652 10.7046L80.6116 9.40882C79.7889 7.61625 78.1652 6.62277 75.7621 6.62277C71.8003 6.62277 69.7652 9.5168 69.7652 12.5188C69.7652 15.78 72.2333 18.458 75.7621 18.458Z" fill="#242424"></path><path d="M85.4829 18.458C87.1067 18.458 88.1891 17.9181 88.7304 17.0758C88.7737 17.443 88.9036 17.9397 89.0768 18.2421H91.8046C91.6531 17.7237 91.5448 16.903 91.5448 16.3631V10.4455C91.5448 8.005 89.7912 6.62277 86.8252 6.62277C84.5737 6.62277 82.8201 7.46507 81.8458 8.69611L83.5778 10.4023C84.3572 9.5384 85.353 9.08486 86.5654 9.08486C88.0376 9.08486 88.6871 9.58159 88.6871 10.3159C88.6871 10.9422 88.2541 11.3742 85.9159 11.3742C83.6644 11.3742 81.3912 12.3028 81.3912 14.8945C81.3912 17.2918 83.1231 18.458 85.4829 18.458ZM86.0891 16.1687C84.9201 16.1687 84.3788 15.672 84.3788 14.7865C84.3788 14.009 85.0283 13.4907 86.1108 13.4907C87.8427 13.4907 88.319 13.3827 88.6871 13.0155V13.9442C88.6871 15.1753 87.6479 16.1687 86.0891 16.1687Z" fill="#242424"></path><path d="M93.3263 18.2421H96.3573V2.90805H93.3263V18.2421Z" fill="#242424"></path><path d="M103.631 18.458C105.861 18.458 107.658 17.5726 108.654 15.996L106.359 14.5274C105.753 15.4776 104.952 15.996 103.631 15.996C102.138 15.996 101.055 15.1753 100.774 13.5771H109.39V12.5188C109.39 9.5168 107.55 6.62277 103.61 6.62277C99.8643 6.62277 97.8293 9.5384 97.8293 12.5404C97.8293 16.8167 101.055 18.458 103.631 18.458ZM100.882 11.2014C101.358 9.75437 102.354 9.08486 103.675 9.08486C105.168 9.08486 106.078 9.97034 106.381 11.2014H100.882Z" fill="#242424"></path></svg></a></div><div class="flex flex-col gap-[14px] md:col-span-2"><a class="t-14 !leading-[1.05] underline transition-colors duration-300 text-heading-black/60 hover:text-black/100" href="/terms">Terms of Service</a><a class="t-14 !leading-[1.05] underline transition-colors duration-300 text-heading-black/60 hover:text-black/100" href="/privacy-policy">Privacy Policy</a></div><div class="md:col-span-3"><div class="t-14 max-w-[250px] !leading-[1.35] text-heading-black/60 ">WireGuard is a registered trademark of Jason A. Donenfeld.</div></div><div class="flex gap-[6px] xxs:col-span-2 md:col-span-3 md:flex md:justify-end"><a target="_blank" class="group transition-colors duration-300 text-heading-black hover:text-grey-3" data-track="Link Clicked" data-track-properties="{"label": "Footer Twitter logo"}" href="https://twitter.com/tailscale"><svg width="28" height="29" viewBox="0 0 28 29" fill="none" xmlns="http://www.w3.org/2000/svg"><rect y="0.988281" width="28" height="28" rx="14" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M8.03169 9L13.0509 15.0672L8 20H9.13675L13.5587 15.6812L17.1317 20H21L15.6985 13.5916L20.3997 9H19.263L15.1906 12.9775L11.9001 9H8.03169ZM9.70337 9.75698H11.4805L19.3281 19.2429H17.551L9.70337 9.75698Z" fill="white"></path></svg></a><a target="_blank" class="group transition-colors duration-300 text-heading-black hover:text-grey-3" data-track="Link Clicked" data-track-properties="{"label": "Footer Facebook logo"}" href="https://www.facebook.com/tailscale/"><svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="0.21875" width="27.2195" height="27.2195" rx="13.6098" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M12.434 19.6598L12.4179 14.8081H10.3008V12.7289H12.4179V11.3427C12.4179 9.47188 13.5974 8.57031 15.2966 8.57031C16.1106 8.57031 16.8101 8.62983 17.014 8.65643V10.6115L15.8355 10.612C14.9114 10.612 14.7324 11.0433 14.7324 11.6762V12.7289H17.3577L16.652 14.8081H14.7324V19.6598H12.434Z" fill="#fff"></path></svg></a><a target="_blank" class="group transition-colors duration-300 text-heading-black hover:text-grey-3" data-track="Link Clicked" data-track-properties="{"label": "Footer LinkedIn logo"}" href="https://www.linkedin.com/company/tailscale"><svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="0.439453" width="27.2195" height="27.2195" rx="13.6098" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M8.68685 18.6518H10.8825V11.5871H8.68685V18.6518Z" fill="white"></path><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M8.50195 9.34036C8.50195 10.0352 9.07976 10.6143 9.77312 10.6143C10.4896 10.6143 11.0443 10.0584 11.0443 9.34036C11.0443 8.64547 10.4665 8.06641 9.77312 8.06641C9.07976 8.06641 8.50195 8.64547 8.50195 9.34036Z" fill="white"></path><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M16.8917 18.6518H19.0873V14.7836C19.0873 12.8843 18.6713 11.425 16.4525 11.425C15.3894 11.425 14.6729 12.0041 14.3724 12.56H14.3493V11.5871H12.2461V18.6518H14.4418V15.1542C14.4418 14.2509 14.6267 13.3475 15.7592 13.3475C16.8686 13.3475 16.8917 14.413 16.8917 15.2237V18.6518Z" fill="white"></path></svg></a><a target="_blank" rel="me" class="group transition-colors duration-300 text-heading-black hover:text-grey-3" data-track="Link Clicked" data-track-properties="{"label": "Footer Mastodon logo"}" href="https://hachyderm.io/@tailscale"><svg width="28" height="29" viewBox="0 0 28 29" fill="none" xmlns="http://www.w3.org/2000/svg"><rect y="0.988281" width="28" height="28" rx="14" fill="currentColor"></rect><path class="transition-colors duration-300 group-hover:fill-heading-black" fill="white" d="M19.9516 10.8781C19.7667 9.48128 18.5693 8.38051 17.1498 8.16721C16.9104 8.13117 16.003 8 13.9011 8H13.8854C11.7829 8 11.3319 8.13117 11.0924 8.16721C9.71243 8.3746 8.45223 9.3637 8.14648 10.777C7.99942 11.4731 7.98373 12.2447 8.01105 12.9526C8.04999 13.9677 8.05755 14.981 8.14823 15.992C8.21091 16.6635 8.32027 17.3297 8.47548 17.9855C8.76612 19.1968 9.94262 20.2048 11.0953 20.616C12.3294 21.0449 13.6566 21.1161 14.9282 20.8216C15.0681 20.7886 15.2065 20.7502 15.3432 20.7064C15.6519 20.6066 16.014 20.4949 16.2803 20.2987C16.2839 20.296 16.2869 20.2924 16.289 20.2883C16.2911 20.2842 16.2923 20.2797 16.2925 20.2751V19.2955C16.2924 19.2911 16.2914 19.2869 16.2895 19.283C16.2876 19.2791 16.2849 19.2758 16.2815 19.2731C16.2782 19.2704 16.2743 19.2686 16.2702 19.2676C16.266 19.2667 16.2617 19.2667 16.2576 19.2677C15.4429 19.4655 14.608 19.5647 13.7703 19.5631C12.3288 19.5631 11.941 18.8677 11.83 18.5782C11.7408 18.3279 11.6841 18.0669 11.6614 17.8018C11.6612 17.7973 11.662 17.7929 11.6638 17.7888C11.6656 17.7847 11.6683 17.7811 11.6717 17.7783C11.6751 17.7755 11.6791 17.7735 11.6834 17.7726C11.6876 17.7716 11.6921 17.7717 11.6963 17.7728C12.4975 17.9693 13.3188 18.0685 14.1429 18.0682C14.3411 18.0682 14.5387 18.0682 14.737 18.0629C15.5659 18.0393 16.4395 17.9962 17.255 17.8343C17.2754 17.8301 17.2957 17.8266 17.3132 17.8213C18.5995 17.5701 19.8237 16.7819 19.9481 14.786C19.9527 14.7074 19.9644 13.963 19.9644 13.8814C19.965 13.6043 20.0521 11.9156 19.9516 10.8781ZM17.9718 15.8584H16.6191V12.4905C16.6191 11.7815 16.3285 11.4199 15.7373 11.4199C15.0875 11.4199 14.762 11.8477 14.762 12.6926V14.5361H13.4175V12.6926C13.4175 11.8477 13.0914 11.4199 12.4415 11.4199C11.8538 11.4199 11.5603 11.7815 11.5597 12.4905V15.8584H10.2083V12.3883C10.2083 11.6793 10.3863 11.116 10.7425 10.6985C11.1098 10.2819 11.5917 10.068 12.1898 10.068C12.8821 10.068 13.4053 10.3386 13.754 10.8793L14.0906 11.4536L14.4277 10.8793C14.7765 10.3386 15.2996 10.068 15.9908 10.068C16.5883 10.068 17.0702 10.2819 17.4387 10.6985C17.7949 11.1156 17.9729 11.6789 17.9729 12.3883L17.9718 15.8584Z"></path></svg></a><a target="_blank" class="group transition-colors duration-300 text-heading-black hover:text-grey-3" data-track="Link Clicked" data-track-properties="{"label": "Footer Youtube logo"}" href="https://www.youtube.com/@Tailscale"><svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="0.658203" width="27.2195" height="27.2195" rx="13.6098" fill="currentColor"></rect><path class=" transition-colors duration-300 group-hover:fill-heading-black" d="M19.6754 11.46C19.5368 10.5863 19.121 9.98138 18.1506 9.84696C16.6258 9.57813 14.2693 9.57812 14.2693 9.57812C14.2693 9.57812 11.9128 9.57813 10.388 9.84696C9.4177 9.98138 8.93254 10.5863 8.86323 11.46C8.72461 12.3337 8.72461 13.6106 8.72461 13.6106C8.72461 13.6106 8.72461 14.8876 8.86323 15.7613C9.00185 16.635 9.4177 17.2399 10.388 17.3743C11.9128 17.6432 14.2693 17.6432 14.2693 17.6432C14.2693 17.6432 16.6258 17.6432 18.1506 17.3743C19.121 17.1727 19.5368 16.635 19.6754 15.7613C19.814 14.8876 19.814 13.6106 19.814 13.6106C19.814 13.6106 19.814 12.3337 19.6754 11.46ZM12.8831 15.6269V11.5944L16.3486 13.6106L12.8831 15.6269Z" fill="white"></path></svg></a></div><div class="t-14 flex flex-wrap tracking-[0.07px] xxs:col-span-2 md:col-span-12 text-heading-black/60 ">© 2025 Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.</div></div></div></footer><script src="/_next/static/chunks/webpack-7add37186d0ff440.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/media/503dd21c3e9aa947-s.p.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n2:HL[\"/_next/static/media/59aafc96071162d7-s.p.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n3:HL[\"/_next/static/media/6190d09d67eb8e2d-s.p.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n4:HL[\"/_next/static/media/6267f766bc823bf8-s.p.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n5:HL[\"/_next/static/media/ce17880c21b59d21-s.p.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n6:HL[\"/_next/static/media/d3470cfc68a51edd-s.p.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n7:HL[\"/_next/static/css/425118351a398cbb.css\",\"style\"]\n8:HL[\"/_next/static/css/90d8e427ffb6abd2.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"9:I[95751,[],\"\"]\nc:I[39275,[],\"\"]\ne:I[89611,[\"231\",\"static/chunks/231-07416b1f957d0db7.js\",\"9286\",\"static/chunks/app/kb/%5B%5B...params%5D%5D/error-d79b6b3fc14d36f0.js\"],\"default\"]\nf:I[61343,[],\"\"]\n12:I[60165,[\"3185\",\"static/chunks/app/layout-32e599393abf9240.js\"],\"default\"]\n14:I[76130,[],\"\"]\nd:[\"params\",\"1337/acl-syntax\",\"oc\"]\n15:[]\n"])</script><script>self.__next_f.push([1,"0:[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/425118351a398cbb.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/90d8e427ffb6abd2.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],[\"$\",\"$L9\",null,{\"buildId\":\"1lqTpUpp4ZU3uxrLrtdhl\",\"assetPrefix\":\"\",\"initialCanonicalUrl\":\"/kb/1337/acl-syntax\",\"initialTree\":[\"\",{\"children\":[\"kb\",{\"children\":[[\"params\",\"1337/acl-syntax\",\"oc\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"kb\",{\"children\":[[\"params\",\"1337/acl-syntax\",\"oc\"],{\"children\":[\"__PAGE__\",{},[[\"$La\",\"$Lb\"],null],null]},[\"$\",\"$Lc\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"kb\",\"children\",\"$d\",\"children\"],\"error\":\"$e\",\"errorStyles\":[],\"errorScripts\":[],\"template\":[\"$\",\"$Lf\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$L10\",\"notFoundStyles\":[],\"styles\":null}],null]},[\"$L11\",null],null]},[[\"$\",\"html\",null,{\"lang\":\"en\",\"className\":\"__className_943d4e\",\"children\":[\"$\",\"body\",null,{\"children\":[\"$\",\"$L12\",null,{\"children\":[\"$\",\"$Lc\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$Lf\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":[[\"$\",\"title\",null,{\"children\":\"404: This page could not be found.\"}],[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"padding\":\"0 23px 0 0\",\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\",\"lineHeight\":\"49px\"},\"children\":\"404\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"49px\",\"margin\":0},\"children\":\"This page could not be found.\"}]}]]}]}]],\"notFoundStyles\":[],\"styles\":null}]}]}]}],null],null],\"couldBeIntercepted\":false,\"initialHead\":[false,\"$L13\"],\"globalErrorComponent\":\"$14\",\"missingSlots\":\"$W15\"}]]\n"])</script><script>self.__next_f.push([1,"16:I[231,[\"231\",\"static/chunks/231-07416b1f957d0db7.js\",\"5828\",\"static/chunks/5828-bdbd767bd529f5f9.js\",\"6257\",\"static/chunks/6257-e637d432bc778e7a.js\",\"919\",\"static/chunks/919-76fb265b32c91554.js\",\"7004\",\"static/chunks/app/kb/layout-fda2441131486605.js\"],\"\"]\n10:[\"$\",\"div\",null,{\"className\":\"mx-auto max-w-lg py-14 md:py-16\",\"children\":[[\"$\",\"h1\",null,{\"className\":\"text-2xl font-medium md:text-4xl\",\"children\":\"Page not found\"}],[\"$\",\"h2\",null,{\"className\":\"mt-4 text-lg font-medium md:text-xl\",\"children\":\"Sorry, but the page you were looking for could not be found.\"}],[\"$\",\"p\",null,{\"className\":\"prose mt-4\",\"children\":[\"You can\",\" \",[\"$\",\"$L16\",null,{\"className\":\"link\",\"href\":\"/kb\",\"children\":\"return to our docs homepage\"}],\",\",\" \",[\"$\",\"$L16\",null,{\"className\":\"link\",\"href\":\"/\",\"children\":\"site homepage\"}],\", or\",\" \",[\"$\",\"$L16\",null,{\"className\":\"link\",\"href\":\"mailto:info@tailscale.com\",\"children\":\"get in touch\"}],\" \",\"if you can’t find what you’re looking for.\"]}]]}]\n"])</script><script>self.__next_f.push([1,"13:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"name\":\"theme-color\",\"content\":\"#fff\"}],[\"$\",\"meta\",\"2\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"3\",{\"children\":\"ACL syntax · Tailscale Docs\"}],[\"$\",\"meta\",\"4\",{\"name\":\"description\",\"content\":\"Reference syntax for the tailnet policy file.\"}],[\"$\",\"link\",\"5\",{\"rel\":\"canonical\",\"href\":\"https://tailscale.com/kb/1337/acl-syntax\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"ACL syntax · Tailscale Docs\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Reference syntax for the tailnet policy file.\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://tailscale.com/kb/1337/acl-syntax\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:site_name\",\"content\":\"Tailscale\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image\",\"content\":\"https://tailscale.com/files/images/og-image.png\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:type\",\"content\":\"article\"}],[\"$\",\"meta\",\"12\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"13\",{\"name\":\"twitter:creator\",\"content\":\"@tailscale\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:title\",\"content\":\"ACL syntax\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:description\",\"content\":\"Reference syntax for the tailnet policy file.\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:image\",\"content\":\"https://tailscale.com/files/images/og-image.png\"}],[\"$\",\"link\",\"17\",{\"rel\":\"icon\",\"href\":\"/favicon.png\",\"type\":\"image/png\"}],[\"$\",\"link\",\"18\",{\"rel\":\"icon\",\"href\":\"/favicon.svg\",\"type\":\"image/svg+xml\"}],[\"$\",\"meta\",\"19\",{\"name\":\"next-size-adjust\"}]]\na:null\n"])</script><script>self.__next_f.push([1,"17:I[32443,[\"231\",\"static/chunks/231-07416b1f957d0db7.js\",\"5828\",\"static/chunks/5828-bdbd767bd529f5f9.js\",\"6257\",\"static/chunks/6257-e637d432bc778e7a.js\",\"919\",\"static/chunks/919-76fb265b32c91554.js\",\"7004\",\"static/chunks/app/kb/layout-fda2441131486605.js\"],\"CurrentUserProvider\"]\n18:I[1843,[\"231\",\"static/chunks/231-07416b1f957d0db7.js\",\"5828\",\"static/chunks/5828-bdbd767bd529f5f9.js\",\"6257\",\"static/chunks/6257-e637d432bc778e7a.js\",\"919\",\"static/chunks/919-76fb265b32c91554.js\",\"7004\",\"static/chunks/app/kb/layout-fda2441131486605.js\"],\"default\"]\n19:T820,"])</script><script>self.__next_f.push([1,"M19.9516 10.8781C19.7667 9.48128 18.5693 8.38051 17.1498 8.16721C16.9104 8.13117 16.003 8 13.9011 8H13.8854C11.7829 8 11.3319 8.13117 11.0924 8.16721C9.71243 8.3746 8.45223 9.3637 8.14648 10.777C7.99942 11.4731 7.98373 12.2447 8.01105 12.9526C8.04999 13.9677 8.05755 14.981 8.14823 15.992C8.21091 16.6635 8.32027 17.3297 8.47548 17.9855C8.76612 19.1968 9.94262 20.2048 11.0953 20.616C12.3294 21.0449 13.6566 21.1161 14.9282 20.8216C15.0681 20.7886 15.2065 20.7502 15.3432 20.7064C15.6519 20.6066 16.014 20.4949 16.2803 20.2987C16.2839 20.296 16.2869 20.2924 16.289 20.2883C16.2911 20.2842 16.2923 20.2797 16.2925 20.2751V19.2955C16.2924 19.2911 16.2914 19.2869 16.2895 19.283C16.2876 19.2791 16.2849 19.2758 16.2815 19.2731C16.2782 19.2704 16.2743 19.2686 16.2702 19.2676C16.266 19.2667 16.2617 19.2667 16.2576 19.2677C15.4429 19.4655 14.608 19.5647 13.7703 19.5631C12.3288 19.5631 11.941 18.8677 11.83 18.5782C11.7408 18.3279 11.6841 18.0669 11.6614 17.8018C11.6612 17.7973 11.662 17.7929 11.6638 17.7888C11.6656 17.7847 11.6683 17.7811 11.6717 17.7783C11.6751 17.7755 11.6791 17.7735 11.6834 17.7726C11.6876 17.7716 11.6921 17.7717 11.6963 17.7728C12.4975 17.9693 13.3188 18.0685 14.1429 18.0682C14.3411 18.0682 14.5387 18.0682 14.737 18.0629C15.5659 18.0393 16.4395 17.9962 17.255 17.8343C17.2754 17.8301 17.2957 17.8266 17.3132 17.8213C18.5995 17.5701 19.8237 16.7819 19.9481 14.786C19.9527 14.7074 19.9644 13.963 19.9644 13.8814C19.965 13.6043 20.0521 11.9156 19.9516 10.8781ZM17.9718 15.8584H16.6191V12.4905C16.6191 11.7815 16.3285 11.4199 15.7373 11.4199C15.0875 11.4199 14.762 11.8477 14.762 12.6926V14.5361H13.4175V12.6926C13.4175 11.8477 13.0914 11.4199 12.4415 11.4199C11.8538 11.4199 11.5603 11.7815 11.5597 12.4905V15.8584H10.2083V12.3883C10.2083 11.6793 10.3863 11.116 10.7425 10.6985C11.1098 10.2819 11.5917 10.068 12.1898 10.068C12.8821 10.068 13.4053 10.3386 13.754 10.8793L14.0906 11.4536L14.4277 10.8793C14.7765 10.3386 15.2996 10.068 15.9908 10.068C16.5883 10.068 17.0702 10.2819 17.4387 10.6985C17.7949 11.1156 17.9729 11.6789 17.9729 12.3883L17.9718 15.8584Z"])</script><script>self.__next_f.push([1,"11:[[\"$\",\"$L17\",null,{\"children\":[\"$\",\"$L18\",null,{\"menu\":[{\"submenu\":{\"product\":{\"rightCol\":{\"nav\":{\"links\":[{\"link\":\"/integrations\",\"_key\":\"c653da519dfb\",\"title\":\"Integrations\"},{\"link\":\"/features\",\"_key\":\"a878da5fa54c\",\"title\":\"Features\"},{\"link\":\"/compare\",\"_key\":\"adda698ed879\",\"title\":\"Compare Tailscale\"},{\"link\":\"/partnerships\",\"_key\":\"b57369965809\",\"title\":\"Partnerships\"}],\"heading\":\"Explore\"}},\"leftCol\":{\"topNav\":{\"heading\":\"Meet Tailscale\",\"links\":[{\"icon\":{\"_type\":\"sanityImage\",\"alt\":\"icon\"},\"link\":\"/blog/how-tailscale-works/\",\"_key\":\"5495d201056a\",\"title\":\"How it works\"},{\"icon\":{\"_type\":\"sanityImage\",\"alt\":\"icon\"},\"link\":\"/why-tailscale\",\"_key\":\"dc9cde7ff83cb94cfc98ff29bdcd0997\",\"title\":\"Why Tailscale\"},{\"icon\":{\"_type\":\"sanityImage\",\"alt\":\"WireGuard®\"},\"link\":\"/wireguard-vpn\",\"_key\":\"5d88e3ffcc6b\",\"title\":\"WireGuard® for Enterprises\"},{\"title\":\"Bring Tailscale to Work\",\"icon\":{\"_type\":\"sanityImage\",\"alt\":\"Bring Tailscale to Work\"},\"link\":\"/bring-tailscale-to-work\",\"_key\":\"435de37ddd5f\"}]}}},\"submenuType\":\"product\"},\"hasSubmenu\":true,\"_key\":\"95381f81d527\",\"title\":\"Product\"},{\"submenu\":{\"product\":{\"rightCol\":{\"nav\":{\"heading\":\"By role\",\"links\":[{\"link\":\"/solutions/devops\",\"_key\":\"502a00f49baf\",\"title\":\"DevOps\"},{\"link\":\"/solutions/it\",\"_key\":\"0fe4c0d6fa83\",\"title\":\"IT\"},{\"link\":\"/solutions/security\",\"_key\":\"026f30b876a7\",\"title\":\"Security\"}]}},\"leftCol\":{\"topNav\":{\"heading\":\"By use-case\",\"links\":[{\"link\":\"/use-cases/remote-access\",\"_key\":\"193eaaa0cef8\",\"title\":\"Remote Access\"},{\"title\":\"Site-to-site Networking\",\"link\":\"/use-cases/site-to-site-networking\",\"_key\":\"05cadfcf3e65b04708a9d88060f68f9e\"},{\"link\":\"/use-cases/multi-cloud-networking\",\"_key\":\"fbd28dffeac0\",\"title\":\"Multi-Cloud Networking\"},{\"link\":\"/use-cases/kubernetes\",\"_key\":\"da202f1d966a\",\"title\":\"Kubernetes Networking\"},{\"title\":\"Edge \u0026 IoT Deployments\",\"link\":\"/use-cases/iot\",\"_key\":\"8c78e633c6b1\"},{\"title\":\"Zero Trust Networking\",\"link\":\"/use-cases/zero-trust-networking\",\"_key\":\"6a363d694952\"},{\"link\":\"/use-cases/ai\",\"_key\":\"9c49b97d6b06\",\"title\":\"AI Workloads\"},{\"_key\":\"2602b548bd52\",\"title\":\"Secure SaaS\",\"link\":\"/use-cases/secure-saas\"},{\"title\":\"Business VPN\",\"link\":\"/use-cases/business-vpn\",\"_key\":\"6fc65e9fe1c6\"},{\"link\":\"/use-cases/homelab\",\"_key\":\"d99d14013ab3\",\"title\":\"Homelab\"}]}}},\"submenuType\":\"product\"},\"hasSubmenu\":true,\"_key\":\"a7062f1924df\",\"title\":\"Solutions\"},{\"_key\":\"fd055b16290df04c6012d0d33c2fad13\",\"title\":\"Enterprise\",\"submenu\":{\"submenuType\":\"product\"},\"link\":\"/enterprise\",\"hasSubmenu\":false},{\"submenu\":{\"product\":{\"leftCol\":{\"topNav\":{\"heading\":\"Nav heading here\",\"links\":[{\"title\":\"Title here\",\"icon\":{\"alt\":\"Alt text \",\"asset\":{\"_ref\":\"image-a06dc612b1e3e4f4df53a72030002600639a8738-300x120-png\",\"_type\":\"reference\"},\"_type\":\"sanityImage\"},\"link\":\"https://tailscale.com/customers\",\"description\":\"How Cribl Enables Secure Work From Anywhere with Tailscale\",\"_key\":\"2d22491d8262\"}]}}},\"resources\":{\"topNav\":[{\"heading\":\"Cribl\",\"description\":\"How Cribl Enables Secure Work From Anywhere with Tailscale\",\"_key\":\"61d0f0cb130e\"},{\"heading\":\"Cribl\",\"description\":\"How Cribl Enables Secure Work From Anywhere with Tailscale\",\"_key\":\"712684d509a6a6ea07ab9401bdb23f8f\"},{\"heading\":\"Cribl\",\"description\":\"How Cribl Enables Secure Work From Anywhere with Tailscale\",\"_key\":\"ceac3f234a3a6923a671af91772b7e8b\"}]},\"submenuType\":\"product\"},\"link\":\"/customers\",\"hasSubmenu\":false,\"_key\":\"b595975539c7407a7ed4510edd549223\",\"title\":\"Customers\"},{\"hasSubmenu\":false,\"_key\":\"f06fabeb084c\",\"title\":\"Docs\",\"submenu\":{\"submenuType\":\"product\"},\"link\":\"/kb/1017/install/\"},{\"title\":\"Blog\",\"submenu\":{\"submenuType\":\"product\"},\"link\":\"/blog\",\"hasSubmenu\":false,\"_key\":\"f2537b6fa068\"},{\"link\":\"/pricing\",\"hasSubmenu\":false,\"_key\":\"e1b7b44dc091\",\"title\":\"Pricing\",\"submenu\":{\"submenuType\":\"product\"}}],\"footerData\":\"$undefined\",\"headerStyle\":\"dark\",\"button\":{\"buttonOptions\":{\"color\":\"black\"},\"_type\":\"button\",\"link\":{\"title\":\"Get started - it's free!\",\"url\":\"https://login.tailscale.com/start\"}}}]}],[\"$\",\"main\",null,{\"className\":\"scope-kb is-wide container\",\"children\":[\"$\",\"$Lc\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"kb\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$Lf\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\",\"styles\":null}]}],[\"$\",\"footer\",null,{\"className\":\" pb-16 md:pb-28 md:pt-20 \",\"children\":[[\"$\",\"div\",null,{\"className\":\"container grid gap-x-4 gap-y-8 pb-8 xxs:grid-cols-2 sm:grid-cols-3 sm:gap-5 md:pb-[110px] lg:grid-cols-6\",\"children\":[[\"$\",\"div\",null,{\"children\":[[\"$\",\"p\",null,{\"className\":\"t-16 !leading-[1.05] text-heading-black\",\"children\":\"Product\"}],[\"$\",\"div\",null,{\"className\":\"mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4\",\"children\":[[\"$\",\"$L16\",\"Product/blog/how-tailscale-works/\",{\"href\":\"/blog/how-tailscale-works/\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"How it works\"}}],[\"$\",\"$L16\",\"Product/pricing\",{\"href\":\"/pricing\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Pricing\"}}],[\"$\",\"$L16\",\"Product/integrations\",{\"href\":\"/integrations\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Integrations\"}}],[\"$\",\"$L16\",\"Product/features\",{\"href\":\"/features\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Features\"}}],[\"$\",\"$L16\",\"Product/compare\",{\"href\":\"/compare\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Compare Tailscale\"}}]]}]]}],[\"$\",\"div\",null,{\"children\":[[\"$\",\"p\",null,{\"className\":\"t-16 !leading-[1.05] text-heading-black\",\"children\":\"Use Cases\"}],[\"$\",\"div\",null,{\"className\":\"mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4\",\"children\":[[\"$\",\"$L16\",\"Use Cases/use-cases/business-vpn\",{\"href\":\"/use-cases/business-vpn\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Business VPN\"}}],[\"$\",\"$L16\",\"Use Cases/use-cases/remote-access\",{\"href\":\"/use-cases/remote-access\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Remote Access\"}}],[\"$\",\"$L16\",\"Use Cases/use-cases/site-to-site-networking\",{\"href\":\"/use-cases/site-to-site-networking\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Site-to-Site Networking\"}}],[\"$\",\"$L16\",\"Use Cases/use-cases/homelab\",{\"href\":\"/use-cases/homelab\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Homelab\"}}],[\"$\",\"$L16\",\"Use Cases/enterprise\",{\"href\":\"/enterprise\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Enterprise\"}}]]}]]}],[\"$\",\"div\",null,{\"children\":[[\"$\",\"p\",null,{\"className\":\"t-16 !leading-[1.05] text-heading-black\",\"children\":\"Resources\"}],[\"$\",\"div\",null,{\"className\":\"mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4\",\"children\":[[\"$\",\"$L16\",\"Resources/blog\",{\"href\":\"/blog\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Blog\"}}],[\"$\",\"$L16\",\"Resources/events-webinars\",{\"href\":\"/events-webinars\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Events \u0026 Webinars\"}}],[\"$\",\"$L16\",\"Resources/partnerships\",{\"href\":\"/partnerships\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Partnerships\"}}]]}]]}],[\"$\",\"div\",null,{\"children\":[[\"$\",\"p\",null,{\"className\":\"t-16 !leading-[1.05] text-heading-black\",\"children\":\"Company\"}],[\"$\",\"div\",null,{\"className\":\"mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4\",\"children\":[[\"$\",\"$L16\",\"Company/company\",{\"href\":\"/company\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Company\"}}],[\"$\",\"$L16\",\"Company/careers\",{\"href\":\"/careers\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Careers\"}}],[\"$\",\"$L16\",\"Company/press\",{\"href\":\"/press\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Press\"}}]]}]]}],[\"$\",\"div\",null,{\"children\":[[\"$\",\"p\",null,{\"className\":\"t-16 !leading-[1.05] text-heading-black\",\"children\":\"Help \u0026 Support\"}],[\"$\",\"div\",null,{\"className\":\"mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4\",\"children\":[[\"$\",\"$L16\",\"Help \u0026 Support/contact/support\",{\"href\":\"/contact/support\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Support\"}}],[\"$\",\"$L16\",\"Help \u0026 Support/contact/sales\",{\"href\":\"/contact/sales\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Sales\"}}],[\"$\",\"$L16\",\"Help \u0026 Support/security\",{\"href\":\"/security\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Security\"}}],[\"$\",\"$L16\",\"Help \u0026 Support/legal\",{\"href\":\"/legal\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Legal\"}}],[\"$\",\"$L16\",\"Help \u0026 Support/opensource\",{\"href\":\"/opensource\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Open Source\"}}],[\"$\",\"$L16\",\"Help \u0026 Support/changelog\",{\"href\":\"/changelog\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Changelog\"}}]]}]]}],[\"$\",\"div\",null,{\"children\":[[\"$\",\"p\",null,{\"className\":\"t-16 !leading-[1.05] text-heading-black\",\"children\":\"Learn\"}],[\"$\",\"div\",null,{\"className\":\"mt-4 flex flex-col gap-3 lg:mt-8 lg:gap-4\",\"children\":[[\"$\",\"$L16\",\"Learn/learn/generate-ssh-keys/\",{\"href\":\"/learn/generate-ssh-keys/\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"SSH keys\"}}],[\"$\",\"$L16\",\"Learn/learn/ssh-into-docker-container/\",{\"href\":\"/learn/ssh-into-docker-container/\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Docker SSH\"}}],[\"$\",\"$L16\",\"Learn/learn/devsecops/\",{\"href\":\"/learn/devsecops/\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"DevSecOps\"}}],[\"$\",\"$L16\",\"Learn/learn/multicloud/\",{\"href\":\"/learn/multicloud/\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Multicloud\"}}],[\"$\",\"$L16\",\"Learn/blog/how-nat-traversal-works/\",{\"href\":\"/blog/how-nat-traversal-works/\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"NAT Traversal\"}}],[\"$\",\"$L16\",\"Learn/blog/2021-09-private-dns-with-magicdns/\",{\"href\":\"/blog/2021-09-private-dns-with-magicdns/\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"MagicDNS\"}}],[\"$\",\"$L16\",\"Learn/learn/privileged-access-management/\",{\"href\":\"/learn/privileged-access-management/\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"PAM\"}}],[\"$\",\"$L16\",\"Learn/learn/principle-of-least-privilege/\",{\"href\":\"/learn/principle-of-least-privilege/\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"PoLP\"}}],[\"$\",\"$L16\",\"Learn/learn\",{\"href\":\"/learn\",\"className\":\"text-[14px] !leading-[1.05] !tracking-[0.08px] transition-colors duration-300 md:text-[16px] text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"All articles\"}}]]}]]}]]}],[\"$\",\"div\",null,{\"className\":\"container\",\"children\":[\"$\",\"div\",null,{\"className\":\"grid grid-cols-1 gap-x-5 gap-y-8 border-t border-stroke-grey pt-8 xxs:grid-cols-2 md:grid-cols-12 md:pt-[70px] lg:gap-y-[60px]\",\"children\":[[\"$\",\"div\",null,{\"className\":\"xxs:col-span-2 md:col-span-4\",\"children\":[\"$\",\"$L16\",null,{\"href\":\"/\",\"className\":\"block w-[160px]\",\"title\":\"Homepage\",\"data-track\":\"Link Clicked\",\"data-track-properties\":\"{\\\"label\\\": \\\"Footer logo\\\"}\",\"children\":[\"$\",\"svg\",null,{\"className\":\"transition-colors duration-200 \",\"width\":\"100%\",\"height\":\"100%\",\"viewBox\":\"0 0 110 20\",\"fill\":\"none\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"children\":[[\"$\",\"ellipse\",null,{\"cx\":\"2.44719\",\"cy\":\"10.1796\",\"rx\":\"2.44719\",\"ry\":\"2.44128\",\"fill\":\"#242424\"}],[\"$\",\"ellipse\",null,{\"cx\":\"9.79094\",\"cy\":\"10.1796\",\"rx\":\"2.44719\",\"ry\":\"2.44128\",\"fill\":\"#242424\"}],[\"$\",\"ellipse\",null,{\"opacity\":\"0.2\",\"cx\":\"2.44719\",\"cy\":\"17.5077\",\"rx\":\"2.44719\",\"ry\":\"2.44128\",\"fill\":\"#242424\"}],[\"$\",\"ellipse\",null,{\"opacity\":\"0.2\",\"cx\":\"17.1269\",\"cy\":\"17.5077\",\"rx\":\"2.44719\",\"ry\":\"2.44128\",\"fill\":\"#242424\"}],[\"$\",\"ellipse\",null,{\"cx\":\"9.79094\",\"cy\":\"17.5077\",\"rx\":\"2.44719\",\"ry\":\"2.44128\",\"fill\":\"#242424\"}],[\"$\",\"ellipse\",null,{\"cx\":\"17.1269\",\"cy\":\"10.1796\",\"rx\":\"2.44719\",\"ry\":\"2.44128\",\"fill\":\"#242424\"}],[\"$\",\"ellipse\",null,{\"opacity\":\"0.2\",\"cx\":\"2.44719\",\"cy\":\"2.85924\",\"rx\":\"2.44719\",\"ry\":\"2.44128\",\"fill\":\"#242424\"}],[\"$\",\"ellipse\",null,{\"opacity\":\"0.2\",\"cx\":\"9.79094\",\"cy\":\"2.85924\",\"rx\":\"2.44719\",\"ry\":\"2.44128\",\"fill\":\"#242424\"}],[\"$\",\"ellipse\",null,{\"opacity\":\"0.2\",\"cx\":\"17.1269\",\"cy\":\"2.85924\",\"rx\":\"2.44719\",\"ry\":\"2.44128\",\"fill\":\"#242424\"}],[\"$\",\"path\",null,{\"d\":\"M34.3979 18.458C35.0907 18.458 35.6536 18.3933 36.3248 18.2637V15.7584C35.9134 15.9096 35.4588 15.9528 35.0258 15.9528C33.965 15.9528 33.5753 15.4344 33.5753 14.441V9.34402H36.3248V6.83875H33.5753V3.12403H30.5443V6.83875H28.5742V9.34402H30.5443V14.7217C30.5443 17.0974 31.8 18.458 34.3979 18.458Z\",\"fill\":\"#242424\"}],[\"$\",\"path\",null,{\"d\":\"M41.2747 18.458C42.8984 18.458 43.9809 17.9181 44.5222 17.0758C44.5655 17.443 44.6954 17.9397 44.8686 18.2421H47.5964C47.4449 17.7237 47.3366 16.903 47.3366 16.3631V10.4455C47.3366 8.005 45.583 6.62277 42.617 6.62277C40.3654 6.62277 38.6118 7.46507 37.6376 8.69611L39.3696 10.4023C40.149 9.5384 41.1448 9.08486 42.3572 9.08486C43.8294 9.08486 44.4789 9.58159 44.4789 10.3159C44.4789 10.9422 44.0459 11.3742 41.7077 11.3742C39.4562 11.3742 37.183 12.3028 37.183 14.8945C37.183 17.2918 38.9149 18.458 41.2747 18.458ZM41.8809 16.1687C40.7118 16.1687 40.1706 15.672 40.1706 14.7865C40.1706 14.009 40.8201 13.4907 41.9026 13.4907C43.6345 13.4907 44.1108 13.3827 44.4789 13.0155V13.9442C44.4789 15.1753 43.4397 16.1687 41.8809 16.1687Z\",\"fill\":\"#242424\"}],[\"$\",\"path\",null,{\"d\":\"M49.3069 5.39173H52.4677V2.5625H49.3069V5.39173ZM49.3718 18.2421H52.4028V6.83875H49.3718V18.2421Z\",\"fill\":\"#242424\"}],[\"$\",\"path\",null,{\"d\":\"M54.6109 18.2421H57.6418V2.90805H54.6109V18.2421Z\",\"fill\":\"#242424\"}],[\"$\",\"path\",null,{\"d\":\"M63.9416 18.458C67.2757 18.458 68.986 16.7087 68.986 14.8729C68.986 13.2099 68.1417 11.9789 65.3705 11.4821C63.4221 11.1366 62.2097 10.7046 62.2097 10.0351C62.2097 9.45201 62.9025 9.04166 64.0715 9.04166C65.1107 9.04166 65.9767 9.38722 66.6262 10.1431L68.553 8.52333C67.5788 7.31389 65.9767 6.62277 64.0715 6.62277C61.1489 6.62277 59.3303 8.17777 59.3303 10.0783C59.3303 12.1517 61.2354 13.0803 63.2922 13.4475C65.0025 13.7499 65.9551 14.0738 65.9551 14.8081C65.9551 15.4344 65.2839 15.9528 64.0066 15.9528C62.7509 15.9528 61.7767 15.3696 61.322 14.5058L58.7674 15.7152C59.3952 17.2702 61.5385 18.458 63.9416 18.458Z\",\"fill\":\"#242424\"}],[\"$\",\"path\",null,{\"d\":\"M75.7621 18.458C77.9271 18.458 79.4859 17.5942 80.6549 15.6504L78.2302 14.4194C77.7755 15.3265 77.0395 15.9528 75.7621 15.9528C73.8353 15.9528 72.7961 14.3978 72.7961 12.5188C72.7961 10.6399 73.9003 9.12805 75.7621 9.12805C76.9312 9.12805 77.7106 9.75437 78.1652 10.7046L80.6116 9.40882C79.7889 7.61625 78.1652 6.62277 75.7621 6.62277C71.8003 6.62277 69.7652 9.5168 69.7652 12.5188C69.7652 15.78 72.2333 18.458 75.7621 18.458Z\",\"fill\":\"#242424\"}],[\"$\",\"path\",null,{\"d\":\"M85.4829 18.458C87.1067 18.458 88.1891 17.9181 88.7304 17.0758C88.7737 17.443 88.9036 17.9397 89.0768 18.2421H91.8046C91.6531 17.7237 91.5448 16.903 91.5448 16.3631V10.4455C91.5448 8.005 89.7912 6.62277 86.8252 6.62277C84.5737 6.62277 82.8201 7.46507 81.8458 8.69611L83.5778 10.4023C84.3572 9.5384 85.353 9.08486 86.5654 9.08486C88.0376 9.08486 88.6871 9.58159 88.6871 10.3159C88.6871 10.9422 88.2541 11.3742 85.9159 11.3742C83.6644 11.3742 81.3912 12.3028 81.3912 14.8945C81.3912 17.2918 83.1231 18.458 85.4829 18.458ZM86.0891 16.1687C84.9201 16.1687 84.3788 15.672 84.3788 14.7865C84.3788 14.009 85.0283 13.4907 86.1108 13.4907C87.8427 13.4907 88.319 13.3827 88.6871 13.0155V13.9442C88.6871 15.1753 87.6479 16.1687 86.0891 16.1687Z\",\"fill\":\"#242424\"}],[\"$\",\"path\",null,{\"d\":\"M93.3263 18.2421H96.3573V2.90805H93.3263V18.2421Z\",\"fill\":\"#242424\"}],[\"$\",\"path\",null,{\"d\":\"M103.631 18.458C105.861 18.458 107.658 17.5726 108.654 15.996L106.359 14.5274C105.753 15.4776 104.952 15.996 103.631 15.996C102.138 15.996 101.055 15.1753 100.774 13.5771H109.39V12.5188C109.39 9.5168 107.55 6.62277 103.61 6.62277C99.8643 6.62277 97.8293 9.5384 97.8293 12.5404C97.8293 16.8167 101.055 18.458 103.631 18.458ZM100.882 11.2014C101.358 9.75437 102.354 9.08486 103.675 9.08486C105.168 9.08486 106.078 9.97034 106.381 11.2014H100.882Z\",\"fill\":\"#242424\"}]]}]}]}],[\"$\",\"div\",null,{\"className\":\"flex flex-col gap-[14px] md:col-span-2\",\"children\":[[\"$\",\"$L16\",\"/terms\",{\"href\":\"/terms\",\"className\":\"t-14 !leading-[1.05] underline transition-colors duration-300 text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Terms of Service\"}}],[\"$\",\"$L16\",\"/privacy-policy\",{\"href\":\"/privacy-policy\",\"className\":\"t-14 !leading-[1.05] underline transition-colors duration-300 text-heading-black/60 hover:text-black/100\",\"dangerouslySetInnerHTML\":{\"__html\":\"Privacy Policy\"}}]]}],[\"$\",\"div\",null,{\"className\":\"md:col-span-3\",\"children\":[\"$\",\"div\",null,{\"className\":\"t-14 max-w-[250px] !leading-[1.35] text-heading-black/60 \",\"dangerouslySetInnerHTML\":{\"__html\":\"WireGuard is a registered trademark of Jason A. Donenfeld.\"}}]}],[\"$\",\"div\",null,{\"className\":\"flex gap-[6px] xxs:col-span-2 md:col-span-3 md:flex md:justify-end\",\"children\":[[\"$\",\"$L16\",null,{\"target\":\"_blank\",\"href\":\"https://twitter.com/tailscale\",\"className\":\"group transition-colors duration-300 text-heading-black hover:text-grey-3\",\"data-track\":\"Link Clicked\",\"data-track-properties\":\"{\\\"label\\\": \\\"Footer Twitter logo\\\"}\",\"children\":[\"$\",\"svg\",null,{\"width\":\"28\",\"height\":\"29\",\"viewBox\":\"0 0 28 29\",\"fill\":\"none\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"children\":[[\"$\",\"rect\",null,{\"y\":\"0.988281\",\"width\":\"28\",\"height\":\"28\",\"rx\":\"14\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"className\":\" transition-colors duration-300 group-hover:fill-heading-black\",\"d\":\"M8.03169 9L13.0509 15.0672L8 20H9.13675L13.5587 15.6812L17.1317 20H21L15.6985 13.5916L20.3997 9H19.263L15.1906 12.9775L11.9001 9H8.03169ZM9.70337 9.75698H11.4805L19.3281 19.2429H17.551L9.70337 9.75698Z\",\"fill\":\"white\"}]]}]}],[\"$\",\"$L16\",null,{\"target\":\"_blank\",\"href\":\"https://www.facebook.com/tailscale/\",\"className\":\"group transition-colors duration-300 text-heading-black hover:text-grey-3\",\"data-track\":\"Link Clicked\",\"data-track-properties\":\"{\\\"label\\\": \\\"Footer Facebook logo\\\"}\",\"children\":[\"$\",\"svg\",null,{\"width\":\"28\",\"height\":\"28\",\"viewBox\":\"0 0 28 28\",\"fill\":\"none\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"children\":[[\"$\",\"rect\",null,{\"x\":\"0.21875\",\"width\":\"27.2195\",\"height\":\"27.2195\",\"rx\":\"13.6098\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"className\":\" transition-colors duration-300 group-hover:fill-heading-black\",\"d\":\"M12.434 19.6598L12.4179 14.8081H10.3008V12.7289H12.4179V11.3427C12.4179 9.47188 13.5974 8.57031 15.2966 8.57031C16.1106 8.57031 16.8101 8.62983 17.014 8.65643V10.6115L15.8355 10.612C14.9114 10.612 14.7324 11.0433 14.7324 11.6762V12.7289H17.3577L16.652 14.8081H14.7324V19.6598H12.434Z\",\"fill\":\"#fff\"}]]}]}],[\"$\",\"$L16\",null,{\"target\":\"_blank\",\"href\":\"https://www.linkedin.com/company/tailscale\",\"className\":\"group transition-colors duration-300 text-heading-black hover:text-grey-3\",\"data-track\":\"Link Clicked\",\"data-track-properties\":\"{\\\"label\\\": \\\"Footer LinkedIn logo\\\"}\",\"children\":[\"$\",\"svg\",null,{\"width\":\"28\",\"height\":\"28\",\"viewBox\":\"0 0 28 28\",\"fill\":\"none\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"children\":[[\"$\",\"rect\",null,{\"x\":\"0.439453\",\"width\":\"27.2195\",\"height\":\"27.2195\",\"rx\":\"13.6098\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"className\":\" transition-colors duration-300 group-hover:fill-heading-black\",\"d\":\"M8.68685 18.6518H10.8825V11.5871H8.68685V18.6518Z\",\"fill\":\"white\"}],[\"$\",\"path\",null,{\"className\":\" transition-colors duration-300 group-hover:fill-heading-black\",\"d\":\"M8.50195 9.34036C8.50195 10.0352 9.07976 10.6143 9.77312 10.6143C10.4896 10.6143 11.0443 10.0584 11.0443 9.34036C11.0443 8.64547 10.4665 8.06641 9.77312 8.06641C9.07976 8.06641 8.50195 8.64547 8.50195 9.34036Z\",\"fill\":\"white\"}],[\"$\",\"path\",null,{\"className\":\" transition-colors duration-300 group-hover:fill-heading-black\",\"d\":\"M16.8917 18.6518H19.0873V14.7836C19.0873 12.8843 18.6713 11.425 16.4525 11.425C15.3894 11.425 14.6729 12.0041 14.3724 12.56H14.3493V11.5871H12.2461V18.6518H14.4418V15.1542C14.4418 14.2509 14.6267 13.3475 15.7592 13.3475C16.8686 13.3475 16.8917 14.413 16.8917 15.2237V18.6518Z\",\"fill\":\"white\"}]]}]}],[\"$\",\"$L16\",null,{\"target\":\"_blank\",\"href\":\"https://hachyderm.io/@tailscale\",\"rel\":\"me\",\"className\":\"group transition-colors duration-300 text-heading-black hover:text-grey-3\",\"data-track\":\"Link Clicked\",\"data-track-properties\":\"{\\\"label\\\": \\\"Footer Mastodon logo\\\"}\",\"children\":[\"$\",\"svg\",null,{\"width\":\"28\",\"height\":\"29\",\"viewBox\":\"0 0 28 29\",\"fill\":\"none\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"children\":[[\"$\",\"rect\",null,{\"y\":\"0.988281\",\"width\":\"28\",\"height\":\"28\",\"rx\":\"14\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"className\":\"transition-colors duration-300 group-hover:fill-heading-black\",\"fill\":\"white\",\"d\":\"$19\"}]]}]}],[\"$\",\"$L16\",null,{\"target\":\"_blank\",\"href\":\"https://www.youtube.com/@Tailscale\",\"className\":\"group transition-colors duration-300 text-heading-black hover:text-grey-3\",\"data-track\":\"Link Clicked\",\"data-track-properties\":\"{\\\"label\\\": \\\"Footer Youtube logo\\\"}\",\"children\":[\"$\",\"svg\",null,{\"width\":\"28\",\"height\":\"28\",\"viewBox\":\"0 0 28 28\",\"fill\":\"none\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"children\":[[\"$\",\"rect\",null,{\"x\":\"0.658203\",\"width\":\"27.2195\",\"height\":\"27.2195\",\"rx\":\"13.6098\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"className\":\" transition-colors duration-300 group-hover:fill-heading-black\",\"d\":\"M19.6754 11.46C19.5368 10.5863 19.121 9.98138 18.1506 9.84696C16.6258 9.57813 14.2693 9.57812 14.2693 9.57812C14.2693 9.57812 11.9128 9.57813 10.388 9.84696C9.4177 9.98138 8.93254 10.5863 8.86323 11.46C8.72461 12.3337 8.72461 13.6106 8.72461 13.6106C8.72461 13.6106 8.72461 14.8876 8.86323 15.7613C9.00185 16.635 9.4177 17.2399 10.388 17.3743C11.9128 17.6432 14.2693 17.6432 14.2693 17.6432C14.2693 17.6432 16.6258 17.6432 18.1506 17.3743C19.121 17.1727 19.5368 16.635 19.6754 15.7613C19.814 14.8876 19.814 13.6106 19.814 13.6106C19.814 13.6106 19.814 12.3337 19.6754 11.46ZM12.8831 15.6269V11.5944L16.3486 13.6106L12.8831 15.6269Z\",\"fill\":\"white\"}]]}]}]]}],[\"$\",\"div\",null,{\"className\":\"t-14 flex flex-wrap tracking-[0.07px] xxs:col-span-2 md:col-span-12 text-heading-black/60 \",\"children\":[\"© \",2025,\" \",\"Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.\"]}]]}]}]]}]]\n"])</script><script>self.__next_f.push([1,"1a:I[15583,[\"231\",\"static/chunks/231-07416b1f957d0db7.js\",\"5828\",\"static/chunks/5828-bdbd767bd529f5f9.js\",\"1850\",\"static/chunks/1850-dd5ed91b5253b88f.js\",\"7163\",\"static/chunks/app/kb/%5B%5B...params%5D%5D/page-4eefb0a22d44c126.js\"],\"Menu\"]\n13d:I[42937,[\"231\",\"static/chunks/231-07416b1f957d0db7.js\",\"5828\",\"static/chunks/5828-bdbd767bd529f5f9.js\",\"1850\",\"static/chunks/1850-dd5ed91b5253b88f.js\",\"7163\",\"static/chunks/app/kb/%5B%5B...params%5D%5D/page-4eefb0a22d44c126.js\"],\"Drawer\"]\n2e3:\"$Sreact.suspense\"\n2e4:I[2800,[\"231\",\"static/chunks/231-07416b1f957d0db7.js\",\"5828\",\"static/chunks/5828-bdbd767bd529f5f9.js\",\"1850\",\"static/chunks/1850-dd5ed91b5253b88f.js\",\"7163\",\"static/chunks/app/kb/%5B%5B...params%5D%5D/page-4eefb0a22d44c126.js\"],\"Search\"]\n2e5:\"$Sreact.fragment\"\n2e6:I[49336,[\"231\",\"static/chunks/231-07416b1f957d0db7.js\",\"5828\",\"static/chunks/5828-bdbd767bd529f5f9.js\",\"1850\",\"static/chunks/1850-dd5ed91b5253b88f.js\",\"7163\",\"static/chunks/app/kb/%5B%5B...params%5D%5D/page-4eefb0a22d44c126.js\"],\"default\"]\n2e7:I[74812,[\"231\",\"static/chunks/231-07416b1f957d0db7.js\",\"5828\",\"static/chunks/5828-bdbd767bd529f5f9.js\",\"1850\",\"static/chunks/1850-dd5ed91b5253b88f.js\",\"7163\",\"static/chunks/app/kb/%5B%5B...params%5D%5D/page-4eefb0a22d44c126.js\"],\"HeaderLink\"]\n2e8:I[81124,[\"231\",\"static/chunks/231-07416b1f957d0db7.js\",\"5828\",\"static/chunks/5828-bdbd767bd529f5f9.js\",\"1850\",\"static/chunks/1850-dd5ed91b5253b88f.js\",\"7163\",\"static/chunks/app/kb/%5B%5B...params%5D%5D/page-4eefb0a22d44c126.js\"],\"default\"]\n2ea:I[38173,[\"231\",\"static/chunks/231-07416b1f957d0db7.js\",\"5828\",\"static/chunks/5828-bdbd767bd529f5f9.js\",\"1850\",\"static/chunks/1850-dd5ed91b5253b88f.js\",\"7163\",\"static/chunks/app/kb/%5B%5B...params%5D%5D/page-4eefb0a22d44c126.js\"],\"Image\"]\n2eb:I[72841,[\"231\",\"static/chunks/231-07416b1f957d0db7.js\",\"5828\",\"static/chunks/5828-bdbd767bd529f5f9.js\",\"1850\",\"static/chunks/1850-dd5ed91b5253b88f.js\",\"7163\",\"static/chunks/app/kb/%5B%5B...params%5D%5D/page-4eefb0a22d44c126.js\"],\"OnThisPage\"]\n1c:{\"label\":\"Download ↗\",\"href\":\"/downloads\"}\n1d:{\""])</script><script>self.__next_f.push([1,"label\":\"Update Tailscale\",\"numericId\":1067,\"slug\":\"update\"}\n1e:{\"label\":\"Uninstall Tailscale\",\"numericId\":1069,\"slug\":\"uninstall\"}\n23:{\"label\":\"Deploy on Android\",\"numericId\":1384,\"slug\":\"android-mdm\"}\n24:{\"label\":\"Deploy on iOS/tvOS\",\"numericId\":1380,\"slug\":\"ios-mdm\"}\n25:{\"label\":\"Deploy on macOS\",\"numericId\":1286,\"slug\":\"macos-mdm\"}\n26:{\"label\":\"Deploy on Windows\",\"numericId\":1318,\"slug\":\"windows-mdm\"}\n22:[\"$23\",\"$24\",\"$25\",\"$26\"]\n21:{\"label\":\"Customize Tailscale using system policies\",\"numericId\":1315,\"slug\":\"mdm-keys\",\"items\":\"$22\"}\n29:{\"label\":\"Google Workspace\",\"numericId\":1386,\"slug\":\"mdm-google-workspace\"}\n2a:{\"label\":\"Jamf\",\"numericId\":1328,\"slug\":\"mdm-jamf\"}\n2b:{\"label\":\"JumpCloud\",\"numericId\":1485,\"slug\":\"mdm-jumpcloud\"}\n2c:{\"label\":\"Kandji\",\"numericId\":1329,\"slug\":\"mdm-kandji\"}\n2d:{\"label\":\"Microsoft Intune\",\"numericId\":1327,\"slug\":\"mdm-microsoft-intune\"}\n2e:{\"label\":\"SimpleMDM\",\"numericId\":1330,\"slug\":\"mdm-simplemdm\"}\n2f:{\"label\":\"TinyMDM\",\"numericId\":1385,\"slug\":\"mdm-tinymdm\"}\n28:[\"$29\",\"$2a\",\"$2b\",\"$2c\",\"$2d\",\"$2e\",\"$2f\"]\n27:{\"label\":\"MDM integration partners\",\"numericId\":1448,\"slug\":\"mdm-integration-partners\",\"items\":\"$28\"}\n20:[\"$21\",\"$27\"]\n1f:{\"label\":\"Deploy with MDM\",\"numericId\":1362,\"slug\":\"mdm\",\"items\":\"$20\"}\n1b:[\"$1c\",\"$1d\",\"$1e\",\"$1f\"]\n31:{\"label\":\"Use exit nodes\",\"numericId\":1408,\"slug\":\"quick-guide-exit-node\"}\n32:{\"label\":\"Configure a subnet router\",\"numericId\":1406,\"slug\":\"quick-guide-subnets\"}\n33:{\"label\":\"Host a website\",\"numericId\":1310,\"slug\":\"quick-guide-host-websites\"}\n34:{\"label\":\"Install on AWS\",\"numericId\":1449,\"slug\":\"quick-guide-aws\"}\n35:{\"label\":\"SSH into a Linux virtual machine\",\"numericId\":1308,\"slug\":\"quick-guide-ssh-linux-vm\"}\n36:{\"label\":\"Access a virtual private cloud (VPC)\",\"numericId\":1309,\"slug\":\"quick-guide-access-vpc\"}\n37:{\"label\":\"Add a Docker container\",\"numericId\":1453,\"slug\":\"quick-guide-docker\"}\n30:[\"$31\",\"$32\",\"$33\",\"$34\",\"$35\",\"$36\",\"$37\"]\n39:{\"label\":\"Google\",\"numericId\":1199,\"slug\":\"sso-google\"}\n3a:{\"label\":\"Microsoft Entra ID\",\"numericId\":1285,\"slug\":\"sso"])</script><script>self.__next_f.push([1,"-microsoft\"}\n3b:{\"label\":\"Okta\",\"numericId\":1066,\"slug\":\"sso-okta\"}\n3c:{\"label\":\"GitHub\",\"numericId\":1284,\"slug\":\"sso-github\"}\n3d:{\"label\":\"Apple\",\"numericId\":1283,\"slug\":\"sso-apple\"}\n3e:{\"label\":\"OneLogin\",\"numericId\":1070,\"slug\":\"sso-onelogin\"}\n41:{\"label\":\"Google Workspace\",\"numericId\":1317,\"slug\":\"sso-google-sync\"}\n42:{\"label\":\"Microsoft Entra ID\",\"numericId\":1249,\"slug\":\"sso-entra-id-scim\"}\n43:{\"label\":\"Okta\",\"numericId\":1180,\"slug\":\"sso-okta-scim\"}\n40:[\"$41\",\"$42\",\"$43\"]\n3f:{\"label\":\"User \u0026 group provisioning\",\"numericId\":1290,\"slug\":\"user-group-provisioning\",\"items\":\"$40\"}\n44:{\"label\":\"Custom OIDC providers\",\"numericId\":1240,\"slug\":\"sso-custom-oidc\"}\n45:{\"label\":\"Enable 2FA and MFA\",\"numericId\":1075,\"slug\":\"multifactor-auth\"}\n38:[\"$39\",\"$3a\",\"$3b\",\"$3c\",\"$3d\",\"$3e\",\"$3f\",\"$44\",\"$45\"]\n4b:{\"label\":\"ACL syntax\",\"numericId\":1337,\"slug\":\"acl-syntax\"}\n4a:[\"$4b\"]\n49:{\"label\":\"Manage ACLs\",\"numericId\":1018,\"slug\":\"acls\",\"items\":\"$4a\"}\n4c:{\"label\":\"Manage grants\",\"numericId\":1324,\"slug\":\"acl-grants\"}\n4d:{\"label\":\"Edit the tailnet policy file\",\"numericId\":1338,\"slug\":\"acl-edit\"}\n50:{\"label\":\"Manage ACLs with Bitbucket\",\"numericId\":1302,\"slug\":\"gitops-acls-bitbucket\"}\n51:{\"label\":\"Manage ACLs with GitHub\",\"numericId\":1306,\"slug\":\"gitops-acls-github\"}\n52:{\"label\":\"Manage ACLs with GitLab\",\"numericId\":1254,\"slug\":\"gitops-acls-gitlab\"}\n4f:[\"$50\",\"$51\",\"$52\"]\n4e:{\"label\":\"Manage ACLs with GitOps\",\"numericId\":1204,\"slug\":\"gitopcs-acls\",\"items\":\"$4f\"}\n48:[\"$49\",\"$4c\",\"$4d\",\"$4e\"]\n47:{\"label\":\"Manage access control\",\"numericId\":1393,\"slug\":\"access-control\",\"items\":\"$48\"}\n55:{\"label\":\"Device posture for JIT access\",\"numericId\":1383,\"slug\":\"device-posture-for-jit\"}\n58:{\"label\":\"ConductorOne\",\"numericId\":1208,\"slug\":\"jit-access-conductorone\"}\n59:{\"label\":\"Opal\",\"numericId\":1209,\"slug\":\"jit-access-opal\"}\n5a:{\"label\":\"Sym\",\"numericId\":1206,\"slug\":\"jit-access-sym\"}\n57:[\"$58\",\"$59\",\"$5a\"]\n56:{\"label\":\"3rd party JIT access integrations\",\"numericId\":1374,\"slug\":\"jit-access-integrations\",\"items\":\"$57\"}\n54:[\"$55\",\"$56\"]\n53:{\"label\":\"M"])</script><script>self.__next_f.push([1,"anage Just-in-time access\",\"numericId\":1443,\"slug\":\"just-in-time-access\",\"items\":\"$54\"}\n5d:{\"label\":\"Add a device\",\"numericId\":1316,\"slug\":\"device-add\"}\n5e:{\"label\":\"Device approval\",\"numericId\":1099,\"slug\":\"device-approval\"}\n5f:{\"label\":\"Rename a device\",\"numericId\":1098,\"slug\":\"machine-names\"}\n60:{\"label\":\"Remove a device\",\"numericId\":1260,\"slug\":\"device-remove\"}\n63:{\"label\":\"Use Device Identity Collection\",\"numericId\":1326,\"slug\":\"device-identity\"}\n64:{\"label\":\"CrowdStrike Falcon\",\"numericId\":1289,\"slug\":\"crowdstrike-zta\"}\n65:{\"label\":\"SentinelOne\",\"numericId\":1390,\"slug\":\"sentinelone\"}\n66:{\"label\":\"1Password XAM\",\"numericId\":1407,\"slug\":\"kolide\"}\n67:{\"label\":\"Jamf Pro\",\"numericId\":1409,\"slug\":\"jamf-pro\"}\n68:{\"label\":\"Microsoft Intune\",\"numericId\":1410,\"slug\":\"intune\"}\n69:{\"label\":\"Kandji\",\"numericId\":1405,\"slug\":\"kandji\"}\n62:[\"$63\",\"$64\",\"$65\",\"$66\",\"$67\",\"$68\",\"$69\"]\n61:{\"label\":\"Device posture management\",\"numericId\":1288,\"slug\":\"device-posture\",\"items\":\"$62\"}\n6a:{\"label\":\"Filter devices\",\"numericId\":1176,\"slug\":\"filter-devices\"}\n6b:{\"label\":\"Export list of devices\",\"numericId\":1228,\"slug\":\"export-device-list\"}\n6c:{\"label\":\"Use the web interface\",\"numericId\":1325,\"slug\":\"device-web-interface\"}\n6d:{\"label\":\"Add a device using a QR code\",\"numericId\":1336,\"slug\":\"device-add-qr-code\"}\n5c:[\"$5d\",\"$5e\",\"$5f\",\"$60\",\"$61\",\"$6a\",\"$6b\",\"$6c\",\"$6d\"]\n5b:{\"label\":\"Manage devices\",\"numericId\":1372,\"slug\":\"manage-devices\",\"items\":\"$5c\"}\n72:{\"label\":\"Invite team members\",\"numericId\":1064,\"slug\":\"invite-team-members\"}\n73:{\"label\":\"Invite any user\",\"numericId\":1271,\"slug\":\"invite-any-user\"}\n74:{\"label\":\"Use passkeys\",\"numericId\":1269,\"slug\":\"passkeys\"}\n71:[\"$72\",\"$73\",\"$74\"]\n70:{\"label\":\"Invite users\",\"items\":\"$71\",\"numericId\":1371,\"slug\":\"invite-users\"}\n75:{\"label\":\"User approval\",\"numericId\":1239,\"slug\":\"user-approval\"}\n76:{\"label\":\"User roles\",\"numericId\":1138,\"slug\":\"user-roles\"}\n77:{\"label\":\"Change user roles\",\"numericId\":1171,\"slug\":\"changing-user-roles\"}\n78:{\"label\":\"Remove users\",\"numericId\":1145,\"slug\":\"remove-team-"])</script><script>self.__next_f.push([1,"members\"}\n79:{\"label\":\"Fast user switching\",\"numericId\":1225,\"slug\":\"fast-user-switching\"}\n7a:{\"label\":\"Export list of users\",\"numericId\":1229,\"slug\":\"export-user-list\"}\n7b:{\"label\":\"Offboard users\",\"numericId\":1248,\"slug\":\"offboarding-users\"}\n7c:{\"label\":\"Admin console session timeout\",\"numericId\":1461,\"slug\":\"admin-console-session-timeout\"}\n6f:[\"$70\",\"$75\",\"$76\",\"$77\",\"$78\",\"$79\",\"$7a\",\"$7b\",\"$7c\"]\n6e:{\"label\":\"Manage users\",\"numericId\":1373,\"slug\":\"manage-users\",\"items\":\"$6f\"}\n7d:{\"label\":\"Tailnet lock\",\"numericId\":1226,\"slug\":\"tailnet-lock\"}\n46:[\"$47\",\"$53\",\"$5b\",\"$6e\",\"$7d\"]\n81:{\"label\":\"Subnet router BGP advertisement\",\"numericId\":1298,\"slug\":\"subnet-bgp\"}\n82:{\"label\":\"4via6 subnet routers\",\"numericId\":1201,\"slug\":\"4via6-subnets\"}\n83:{\"label\":\"Site-to-site networking\",\"numericId\":1214,\"slug\":\"site-to-site\"}\n80:[\"$81\",\"$82\",\"$83\"]\n7f:{\"label\":\"Set up a subnet router\",\"numericId\":1019,\"slug\":\"subnets\",\"items\":\"$80\"}\n86:{\"label\":\"Use a Mullvad exit node\",\"numericId\":1258,\"slug\":\"mullvad-exit-nodes\"}\n87:{\"label\":\"Recommended exit nodes\",\"numericId\":1392,\"slug\":\"auto-exit-nodes\"}\n88:{\"label\":\"Mandatory exit nodes\",\"numericId\":1413,\"slug\":\"mandatory-exit-nodes\"}\n85:[\"$86\",\"$87\",\"$88\"]\n84:{\"label\":\"Set up an exit node\",\"numericId\":1103,\"slug\":\"exit-nodes\",\"items\":\"$85\"}\n8b:{\"label\":\"How app connectors work\",\"numericId\":1342,\"slug\":\"how-app-connectors-work\"}\n8c:{\"label\":\"Best practices for SaaS apps\",\"numericId\":1332,\"slug\":\"apps-best-practices\"}\n8d:{\"label\":\"Use preset apps\",\"numericId\":1339,\"slug\":\"preset-apps\"}\n8a:[\"$8b\",\"$8c\",\"$8d\"]\n89:{\"label\":\"Set up an app connector\",\"numericId\":1281,\"slug\":\"app-connectors\",\"items\":\"$8a\"}\n90:{\"label\":\"Configure Linux DNS\",\"numericId\":1188,\"slug\":\"linux-dns\"}\n91:{\"label\":\"Why is resolv.conf being overwritten?\",\"numericId\":1235,\"slug\":\"resolv-conf\"}\n92:{\"label\":\"Use NextDNS\",\"numericId\":1218,\"slug\":\"nextdns\"}\n93:{\"label\":\"Use Control D\",\"numericId\":1403,\"slug\":\"control-d\"}\n94:{\"label\":\"Use Unbound DNS in OPNsense\",\"numericId\":1299,\"slug\":\"opnsense-unbound\"}\n8f:[\"$90\",\"$91\",\"$9"])</script><script>self.__next_f.push([1,"2\",\"$93\",\"$94\"]\n8e:{\"label\":\"Use DNS\",\"numericId\":1054,\"slug\":\"dns\",\"items\":\"$8f\"}\n95:{\"label\":\"Set up MagicDNS\",\"numericId\":1081,\"slug\":\"magicdns\"}\n96:{\"label\":\"Set up high availability\",\"numericId\":1115,\"slug\":\"high-availability\"}\n7e:[\"$7f\",\"$84\",\"$89\",\"$8e\",\"$95\",\"$96\"]\n98:{\"label\":\"Set up a server\",\"numericId\":1245,\"slug\":\"set-up-servers\"}\n99:{\"label\":\"Use tags\",\"numericId\":1068,\"slug\":\"tags\"}\n9a:{\"label\":\"Install Tailscale with cloud-init\",\"numericId\":1293,\"slug\":\"cloud-init\"}\n9d:{\"label\":\"Automate key expiry\",\"numericId\":1028,\"slug\":\"key-expiry\"}\n9c:[\"$9d\"]\n9b:{\"label\":\"Use auth keys\",\"numericId\":1085,\"slug\":\"auth-keys\",\"items\":\"$9c\"}\na0:{\"label\":\"Use Tailscale SSH Console\",\"numericId\":1216,\"slug\":\"tailscale-ssh-console\"}\n9f:[\"$a0\"]\n9e:{\"label\":\"Use Tailscale SSH\",\"numericId\":1193,\"slug\":\"tailscale-ssh\",\"items\":\"$9f\"}\na1:{\"label\":\"Set up HTTPS certificates\",\"numericId\":1153,\"slug\":\"enabling-https\"}\na2:{\"label\":\"Run an ephemeral node\",\"numericId\":1111,\"slug\":\"ephemeral-nodes\"}\na3:{\"label\":\"Run unattended\",\"numericId\":1088,\"slug\":\"run-unattended\"}\n97:[\"$98\",\"$99\",\"$9a\",\"$9b\",\"$9e\",\"$a1\",\"$a2\",\"$a3\"]\na5:{\"label\":\"View services\",\"numericId\":1100,\"slug\":\"services\"}\na6:{\"label\":\"Share nodes\",\"numericId\":1084,\"slug\":\"sharing\"}\na9:{\"label\":\"Taildrop with NAS\",\"numericId\":1418,\"slug\":\"taildrop-nas\"}\na8:[\"$a9\"]\na7:{\"label\":\"Use Taildrop\",\"numericId\":1106,\"slug\":\"taildrop\",\"items\":\"$a8\"}\na4:[\"$a5\",\"$a6\",\"$a7\"]\nad:{\"label\":\"Examples\",\"numericId\":1247,\"slug\":\"funnel-examples\"}\nae:{\"label\":\"Funnel vs. sharing\",\"numericId\":1464,\"slug\":\"funnel-vs-sharing\"}\nac:[\"$ad\",\"$ae\"]\nab:{\"label\":\"Tailscale Funnel\",\"numericId\":1223,\"slug\":\"funnel\",\"items\":\"$ac\"}\nb1:{\"label\":\"Examples\",\"numericId\":1313,\"slug\":\"serve-examples\"}\nb0:[\"$b1\"]\naf:{\"label\":\"Tailscale Serve\",\"numericId\":1312,\"slug\":\"serve\",\"items\":\"$b0\"}\naa:[\"$ab\",\"$af\"]\nb3:{\"label\":\"Code from your iPad\",\"numericId\":1166,\"slug\":\"vscode-ipad\"}\nb4:{\"label\":\"Lock down a server\",\"numericId\":1077,\"slug\":\"secure-server-ubuntu\"}\nb5:{\"label\":\"Access a PiKVM\",\"numericId\":1292,\"slug\":\"p"])</script><script>self.__next_f.push([1,"ikvm\"}\nb6:{\"label\":\"Run a Pi-hole\",\"numericId\":1114,\"slug\":\"pi-hole\"}\nb7:{\"label\":\"Secure external services\",\"numericId\":1059,\"slug\":\"ip-blocklist-relays\"}\nba:{\"label\":\"Device posture for JIT access\",\"numericId\":1383,\"slug\":\"device-posture-for-jit\"}\nbd:{\"label\":\"ConductorOne\",\"numericId\":1208,\"slug\":\"jit-access-conductorone\"}\nbe:{\"label\":\"Opal\",\"numericId\":1209,\"slug\":\"jit-access-opal\"}\nbf:{\"label\":\"Sym\",\"numericId\":1206,\"slug\":\"jit-access-sym\"}\nbc:[\"$bd\",\"$be\",\"$bf\"]\nbb:{\"label\":\"3rd party JIT access integrations\",\"numericId\":1374,\"slug\":\"jit-access-integrations\",\"items\":\"$bc\"}\nb9:[\"$ba\",\"$bb\"]\nb8:{\"label\":\"Just-in-time access\",\"numericId\":1443,\"slug\":\"just-in-time-access\",\"items\":\"$b9\"}\nc4:{\"label\":\"Terraform\",\"numericId\":1210,\"slug\":\"terraform-provider\"}\nc5:{\"label\":\"Pulumi\",\"numericId\":1211,\"slug\":\"pulumi-provider\"}\nc3:[\"$c4\",\"$c5\"]\nc2:{\"label\":\"Infrastructure as code\",\"numericId\":1370,\"slug\":\"infrastructure-as-code\",\"items\":\"$c3\"}\nc6:{\"label\":\"macOS and iOS shortcuts\",\"numericId\":1233,\"slug\":\"mac-ios-shortcuts\"}\nc1:[\"$c2\",\"$c6\"]\nc0:{\"label\":\"Automation\",\"numericId\":1430,\"slug\":\"automations\",\"items\":\"$c1\"}\nb2:[\"$b3\",\"$b4\",\"$b5\",\"$b6\",\"$b7\",\"$b8\",\"$c0\"]\nc8:{\"label\":\"AWS Lightsail\",\"numericId\":1128,\"slug\":\"aws-lightsail\"}\nc9:{\"label\":\"AWS VPC\",\"numericId\":1021,\"slug\":\"install-aws\"}\nca:{\"label\":\"Azure App Service\",\"numericId\":1126,\"slug\":\"azure-app-service\"}\ncb:{\"label\":\"Azure Linux VMs\",\"numericId\":1142,\"slug\":\"cloud-azure-linux\"}\ncc:{\"label\":\"Azure Windows VMs\",\"numericId\":1143,\"slug\":\"cloud-azure-windows\"}\ncd:{\"label\":\"Google Compute Engine VMs\",\"numericId\":1147,\"slug\":\"cloud-gce\"}\nce:{\"label\":\"Hetzner VMs\",\"numericId\":1150,\"slug\":\"cloud-hetzner\"}\ncf:{\"label\":\"Oracle Cloud VMs\",\"numericId\":1149,\"slug\":\"cloud-oracle\"}\nc7:[\"$c8\",\"$c9\",\"$ca\",\"$cb\",\"$cc\",\"$cd\",\"$ce\",\"$cf\"]\nd1:{\"label\":\"Docker\",\"numericId\":1282,\"slug\":\"docker\"}\nd6:{\"label\":\"API server proxy\",\"numericId\":1437,\"slug\":\"kubernetes-operator-api-server-proxy\"}\nd7:{\"label\":\"Egress\",\"numericId\":1438,\"slug\":\"kubernetes-operator-cluster-egress\"}\nd8:{\"label\""])</script><script>self.__next_f.push([1,":\"Ingress\",\"numericId\":1439,\"slug\":\"kubernetes-operator-cluster-ingress\"}\nd9:{\"label\":\"Cross cluster\",\"numericId\":1442,\"slug\":\"kubernetes-operator-cross-cluster\"}\nda:{\"label\":\"Cloud services\",\"numericId\":1440,\"slug\":\"kubernetes-operator-cloud-services\"}\ndb:{\"label\":\"Subnet routers and exit nodes\",\"numericId\":1441,\"slug\":\"kubernetes-operator-connector\"}\ndc:{\"label\":\"App connector\",\"numericId\":1517,\"slug\":\"kubernetes-operator-app-connector\"}\ndd:{\"label\":\"Recorder nodes\",\"numericId\":1484,\"slug\":\"kubernetes-operator-deploying-tsrecorder\"}\nde:{\"label\":\"Operator resource customization\",\"numericId\":1445,\"slug\":\"kubernetes-operator-customization\"}\ndf:{\"label\":\"Troubleshooting\",\"numericId\":1446,\"slug\":\"kubernetes-operator-troubleshooting\"}\nd5:[\"$d6\",\"$d7\",\"$d8\",\"$d9\",\"$da\",\"$db\",\"$dc\",\"$dd\",\"$de\",\"$df\"]\nd4:{\"label\":\"Kubernetes operator\",\"numericId\":1236,\"slug\":\"kubernetes-operator\",\"items\":\"$d5\"}\nd3:[\"$d4\"]\nd2:{\"label\":\"Kubernetes\",\"items\":\"$d3\",\"numericId\":1185,\"slug\":\"kubernetes\"}\ne0:{\"label\":\"LXC containers\",\"numericId\":1130,\"slug\":\"lxc-unprivileged\"}\ne1:{\"label\":\"Proxmox\",\"numericId\":1133,\"slug\":\"proxmox\"}\nd0:[\"$d1\",\"$d2\",\"$e0\",\"$e1\"]\ne3:{\"label\":\"AWS App Runner\",\"numericId\":1127,\"slug\":\"aws-app-runner\"}\ne4:{\"label\":\"AWS Lambda\",\"numericId\":1113,\"slug\":\"aws-lambda\"}\ne5:{\"label\":\"Fly.io\",\"numericId\":1132,\"slug\":\"flydotio\"}\ne6:{\"label\":\"Google Cloud Run\",\"numericId\":1108,\"slug\":\"cloudrun\"}\ne7:{\"label\":\"Heroku\",\"numericId\":1107,\"slug\":\"heroku\"}\ne2:[\"$e3\",\"$e4\",\"$e5\",\"$e6\",\"$e7\"]\ne9:{\"label\":\"AWS RDS\",\"numericId\":1141,\"slug\":\"aws-rds\"}\nea:{\"label\":\"Crunchy Bridge\",\"numericId\":1231,\"slug\":\"crunchy-bridge\"}\ne8:[\"$e9\",\"$ea\"]\nec:{\"label\":\"code-server\",\"numericId\":1164,\"slug\":\"codeserver\"}\ned:{\"label\":\"Coder\",\"numericId\":1163,\"slug\":\"coder\"}\nee:{\"label\":\"CodeSandbox\",\"numericId\":1221,\"slug\":\"codesandbox\"}\nef:{\"label\":\"GitHub Codespaces\",\"numericId\":1160,\"slug\":\"github-codespaces\"}\nf0:{\"label\":\"Gitpod\",\"numericId\":1161,\"slug\":\"gitpod\"}\nf1:{\"label\":\"OpenVSCode\",\"numericId\":1162,\"slug\":\"openvscode\"}\neb:[\"$ec\",\"$ed\",\"$ee\",\"$ef\",\"$"])</script><script>self.__next_f.push([1,"f0\",\"$f1\"]\nf3:{\"label\":\"Visual Studio Code Extension\",\"numericId\":1265,\"slug\":\"vscode-extension\"}\nf4:{\"label\":\"Tailscale GitHub Action\",\"numericId\":1276,\"slug\":\"tailscale-github-action\"}\nf5:{\"label\":\"Tailscale with GitLab CI/CD\",\"numericId\":1287,\"slug\":\"tailscale-gitlab-runner\"}\nf6:{\"label\":\"Docker Desktop\",\"numericId\":1184,\"slug\":\"docker-desktop\"}\nf2:[\"$f3\",\"$f4\",\"$f5\",\"$f6\"]\nf8:{\"label\":\"Overview\",\"numericId\":1181,\"slug\":\"firewalls\"}\nf9:{\"label\":\"OPNsense\",\"numericId\":1097,\"slug\":\"install-opnsense\"}\nfa:{\"label\":\"Palo Alto Networks\",\"numericId\":1333,\"slug\":\"firewall-palo-alto-networks\"}\nfb:{\"label\":\"pfSense\",\"numericId\":1146,\"slug\":\"pfsense\"}\nfc:{\"label\":\"Firewall mode\",\"numericId\":1294,\"slug\":\"firewall-mode\"}\nf7:[\"$f8\",\"$f9\",\"$fa\",\"$fb\",\"$fc\"]\nfe:{\"label\":\"Caddy Server\",\"numericId\":1190,\"slug\":\"caddy-certificates\"}\nff:{\"label\":\"Traefik Proxy\",\"numericId\":1234,\"slug\":\"traefik-certificates\"}\nfd:[\"$fe\",\"$ff\"]\n101:{\"label\":\"Synology\",\"numericId\":1131,\"slug\":\"synology\"}\n102:{\"label\":\"QNAP\",\"numericId\":1273,\"slug\":\"qnap\"}\n103:{\"label\":\"TrueNAS SCALE\",\"numericId\":1483,\"slug\":\"truenas-scale\"}\n104:{\"label\":\"Unraid\",\"numericId\":1478,\"slug\":\"unraid\"}\n100:[\"$101\",\"$102\",\"$103\",\"$104\"]\n106:{\"label\":\"Send recordings to S3\",\"numericId\":1263,\"slug\":\"session-recording-s3\"}\n107:{\"label\":\"Deploy multiple recorder nodes\",\"numericId\":1262,\"slug\":\"multiple-recorder-nodes\"}\n105:[\"$106\",\"$107\"]\n109:{\"label\":\"Pricing ↗\",\"href\":\"/pricing\"}\n10a:{\"label\":\"Pricing \u0026 Plans FAQ\",\"numericId\":1251,\"slug\":\"pricing-faq\"}\n10b:{\"label\":\"Free plans and discounts\",\"numericId\":1154,\"slug\":\"free-plans-discounts\"}\n10c:{\"label\":\"Modify billing\",\"numericId\":1182,\"slug\":\"billing-information\"}\n10d:{\"label\":\"Tailscale on Azure Marketplace\",\"numericId\":1220,\"slug\":\"azure-marketplace\"}\n108:[\"$109\",\"$10a\",\"$10b\",\"$10c\",\"$10d\"]\n10f:{\"label\":\"Grants\",\"numericId\":1324,\"slug\":\"acl-grants\"}\n110:{\"label\":\"IP sets\",\"numericId\":1387,\"slug\":\"ipsets\"}\n111:{\"label\":\"Via in grants\",\"numericId\":1378,\"slug\":\"via\"}\n10e:[\"$10f\",\"$110\",\"$111\"]\n113:{\"label\":\"tailscale funnel\""])</script><script>self.__next_f.push([1,",\"numericId\":1311,\"slug\":\"tailscale-funnel\"}\n114:{\"label\":\"tailscale lock\",\"numericId\":1243,\"slug\":\"tailscale-lock\"}\n115:{\"label\":\"tailscale serve\",\"numericId\":1242,\"slug\":\"tailscale-serve\"}\n116:{\"label\":\"tailscale up\",\"numericId\":1241,\"slug\":\"tailscale-up\"}\n117:{\"label\":\"tailscaled\",\"numericId\":1278,\"slug\":\"tailscaled\"}\n112:[\"$113\",\"$114\",\"$115\",\"$116\",\"$117\"]\n119:{\"label\":\"OAuth clients\",\"numericId\":1215,\"slug\":\"oauth-clients\"}\n11c:{\"label\":\"Hello tsnet\",\"numericId\":1521,\"slug\":\"hello-tsnet\"}\n11d:{\"label\":\"tsnet.Server\",\"numericId\":1522,\"slug\":\"tsnet-server\"}\n11b:[\"$11c\",\"$11d\"]\n11a:{\"label\":\"tsnet for Go programs\",\"numericId\":1244,\"slug\":\"tsnet\",\"items\":\"$11b\"}\n118:[\"$119\",\"$11a\"]\n11f:{\"label\":\"Deployment checklist\",\"numericId\":1344,\"slug\":\"deployment-checklist\"}\n122:{\"label\":\"Key and secret management\",\"numericId\":1252,\"slug\":\"key-secret-management\"}\n123:{\"label\":\"Secret scanning\",\"numericId\":1301,\"slug\":\"secret-scanning\"}\n124:{\"label\":\"Admin with passkey\",\"numericId\":1341,\"slug\":\"tailnet-passkey-admin\"}\n121:[\"$122\",\"$123\",\"$124\"]\n120:{\"label\":\"Security best practices\",\"items\":\"$121\",\"numericId\":1196,\"slug\":\"security-hardening\"}\n125:{\"label\":\"Performance best practices\",\"numericId\":1320,\"slug\":\"performance-best-practices\"}\n126:{\"label\":\"AWS reference architecture\",\"numericId\":1296,\"slug\":\"aws-reference-architecture\"}\n127:{\"label\":\"Azure reference architecture\",\"numericId\":1314,\"slug\":\"azure-reference-architecture\"}\n11e:[\"$11f\",\"$120\",\"$125\",\"$126\",\"$127\"]\n129:{\"label\":\"About WireGuard\",\"numericId\":1035,\"slug\":\"wireguard\"}\n12a:{\"label\":\"Tailscale encryption\",\"numericId\":1504,\"slug\":\"encryption\"}\n12b:{\"label\":\"Control and data planes\",\"numericId\":1508,\"slug\":\"control-data-planes\"}\n12c:{\"label\":\"Direct vs relayed connections\",\"numericId\":1257,\"slug\":\"connection-types\"}\n12d:{\"label\":\"Device connectivity\",\"numericId\":1411,\"slug\":\"device-connectivity\"}\n12e:{\"label\":\"How Tailscale assigns IP addresses\",\"numericId\":1033,\"slug\":\"ip-and-dns-addresses\"}\n12f:{\"label\":\"Tailscale and the OSI model\",\"numericId\":1456,\"slug\":"])</script><script>self.__next_f.push([1,"\"osi\"}\n130:{\"label\":\"Smaller binaries for embedded devices\",\"numericId\":1207,\"slug\":\"small-tailscale\"}\n131:{\"label\":\"Kernel vs. netstack subnet routing \u0026 exit nodes\",\"numericId\":1177,\"slug\":\"kernel-vs-userspace-routers\"}\n132:{\"label\":\"Userspace networking mode\",\"numericId\":1112,\"slug\":\"userspace-networking\"}\n133:{\"label\":\"Node keys\",\"numericId\":1010,\"slug\":\"node-keys\"}\n134:{\"label\":\"Protect SSH Servers\",\"numericId\":1009,\"slug\":\"protect-ssh-servers\"}\n135:{\"label\":\"Tailnet lock white paper\",\"numericId\":1230,\"slug\":\"tailnet-lock-whitepaper\"}\n136:{\"label\":\"DERP servers\",\"numericId\":1232,\"slug\":\"derp-servers\"}\n137:{\"label\":\"Zero Trust Networking (ZTN)\",\"numericId\":1123,\"slug\":\"zero-trust\"}\n138:{\"label\":\"IPv4 vs. IPv6 FAQ\",\"numericId\":1134,\"slug\":\"ipv6-faq\"}\n128:[\"$129\",\"$12a\",\"$12b\",\"$12c\",\"$12d\",\"$12e\",\"$12f\",\"$130\",\"$131\",\"$132\",\"$133\",\"$134\",\"$135\",\"$136\",\"$137\",\"$138\"]\n13a:{\"label\":\"Troubleshoot device connectivity\",\"numericId\":1463,\"slug\":\"troubleshoot-connectivity\"}\n139:[\"$13a\"]\n13c:{\"label\":\"Unstable builds\",\"numericId\":1083,\"slug\":\"install-unstable\"}\n13b:[\"$13c\"]\n13e:[\"1337\",\"acl-syntax\"]\n142:{\"label\":\"Quickstart\",\"numericId\":1017,\"slug\":\"install\"}\n143:{\"label\":\"Install Tailscale\",\"numericId\":1347,\"slug\":\"installation\",\"items\":\"$1b\"}\n144:{\"label\":\"Quick guides\",\"numericId\":1415,\"slug\":\"quick-guides\",\"items\":\"$30\"}\n145:{\"label\":\"Set up an identity provider\",\"numericId\":1013,\"slug\":\"sso-providers\",\"items\":\"$38\"}\n146:{\"label\":\"What is Tailscale?\",\"numericId\":1151,\"slug\":\"what-is-tailscale\"}\n141:[\"$142\",\"$143\",\"$144\",\"$145\",\"$146\"]\n148:{\"label\":\"Quickstart\",\"numericId\":1017,\"slug\":\"install\",\"nodes\":\"$undefined\"}\n14b:{\"label\":\"Download ↗\",\"href\":\"/downloads\",\"nodes\":\"$undefined\"}\n14c:{\"label\":\"Update Tailscale\",\"numericId\":1067,\"slug\":\"update\",\"nodes\":\"$undefined\"}\n14d:{\"label\":\"Uninstall Tailscale\",\"numericId\":1069,\"slug\":\"uninstall\",\"nodes\":\"$undefined\"}\n152:{\"label\":\"Deploy on Android\",\"numericId\":1384,\"slug\":\"android-mdm\",\"nodes\":\"$undefined\"}\n153:{\"label\":\"Deploy on iOS/tvOS\",\"numericId\":1380,\"slug\":\"ios-mdm"])</script><script>self.__next_f.push([1,"\",\"nodes\":\"$undefined\"}\n154:{\"label\":\"Deploy on macOS\",\"numericId\":1286,\"slug\":\"macos-mdm\",\"nodes\":\"$undefined\"}\n155:{\"label\":\"Deploy on Windows\",\"numericId\":1318,\"slug\":\"windows-mdm\",\"nodes\":\"$undefined\"}\n151:[\"$152\",\"$153\",\"$154\",\"$155\"]\n150:{\"label\":\"Customize Tailscale using system policies\",\"numericId\":1315,\"slug\":\"mdm-keys\",\"items\":\"$22\",\"nodes\":\"$151\"}\n158:{\"label\":\"Google Workspace\",\"numericId\":1386,\"slug\":\"mdm-google-workspace\",\"nodes\":\"$undefined\"}\n159:{\"label\":\"Jamf\",\"numericId\":1328,\"slug\":\"mdm-jamf\",\"nodes\":\"$undefined\"}\n15a:{\"label\":\"JumpCloud\",\"numericId\":1485,\"slug\":\"mdm-jumpcloud\",\"nodes\":\"$undefined\"}\n15b:{\"label\":\"Kandji\",\"numericId\":1329,\"slug\":\"mdm-kandji\",\"nodes\":\"$undefined\"}\n15c:{\"label\":\"Microsoft Intune\",\"numericId\":1327,\"slug\":\"mdm-microsoft-intune\",\"nodes\":\"$undefined\"}\n15d:{\"label\":\"SimpleMDM\",\"numericId\":1330,\"slug\":\"mdm-simplemdm\",\"nodes\":\"$undefined\"}\n15e:{\"label\":\"TinyMDM\",\"numericId\":1385,\"slug\":\"mdm-tinymdm\",\"nodes\":\"$undefined\"}\n157:[\"$158\",\"$159\",\"$15a\",\"$15b\",\"$15c\",\"$15d\",\"$15e\"]\n156:{\"label\":\"MDM integration partners\",\"numericId\":1448,\"slug\":\"mdm-integration-partners\",\"items\":\"$28\",\"nodes\":\"$157\"}\n14f:[\"$150\",\"$156\"]\n14e:{\"label\":\"Deploy with MDM\",\"numericId\":1362,\"slug\":\"mdm\",\"items\":\"$20\",\"nodes\":\"$14f\"}\n14a:[\"$14b\",\"$14c\",\"$14d\",\"$14e\"]\n149:{\"label\":\"Install Tailscale\",\"numericId\":1347,\"slug\":\"installation\",\"items\":\"$1b\",\"nodes\":\"$14a\"}\n161:{\"label\":\"Use exit nodes\",\"numericId\":1408,\"slug\":\"quick-guide-exit-node\",\"nodes\":\"$undefined\"}\n162:{\"label\":\"Configure a subnet router\",\"numericId\":1406,\"slug\":\"quick-guide-subnets\",\"nodes\":\"$undefined\"}\n163:{\"label\":\"Host a website\",\"numericId\":1310,\"slug\":\"quick-guide-host-websites\",\"nodes\":\"$undefined\"}\n164:{\"label\":\"Install on AWS\",\"numericId\":1449,\"slug\":\"quick-guide-aws\",\"nodes\":\"$undefined\"}\n165:{\"label\":\"SSH into a Linux virtual machine\",\"numericId\":1308,\"slug\":\"quick-guide-ssh-linux-vm\",\"nodes\":\"$undefined\"}\n166:{\"label\":\"Access a virtual private cloud (VPC)\",\"numericId\":1309,\"slug\":\"quick-guide-access-vpc\",\"nodes\":\"$undefin"])</script><script>self.__next_f.push([1,"ed\"}\n167:{\"label\":\"Add a Docker container\",\"numericId\":1453,\"slug\":\"quick-guide-docker\",\"nodes\":\"$undefined\"}\n160:[\"$161\",\"$162\",\"$163\",\"$164\",\"$165\",\"$166\",\"$167\"]\n15f:{\"label\":\"Quick guides\",\"numericId\":1415,\"slug\":\"quick-guides\",\"items\":\"$30\",\"nodes\":\"$160\"}\n16a:{\"label\":\"Google\",\"numericId\":1199,\"slug\":\"sso-google\",\"nodes\":\"$undefined\"}\n16b:{\"label\":\"Microsoft Entra ID\",\"numericId\":1285,\"slug\":\"sso-microsoft\",\"nodes\":\"$undefined\"}\n16c:{\"label\":\"Okta\",\"numericId\":1066,\"slug\":\"sso-okta\",\"nodes\":\"$undefined\"}\n16d:{\"label\":\"GitHub\",\"numericId\":1284,\"slug\":\"sso-github\",\"nodes\":\"$undefined\"}\n16e:{\"label\":\"Apple\",\"numericId\":1283,\"slug\":\"sso-apple\",\"nodes\":\"$undefined\"}\n16f:{\"label\":\"OneLogin\",\"numericId\":1070,\"slug\":\"sso-onelogin\",\"nodes\":\"$undefined\"}\n172:{\"label\":\"Google Workspace\",\"numericId\":1317,\"slug\":\"sso-google-sync\",\"nodes\":\"$undefined\"}\n173:{\"label\":\"Microsoft Entra ID\",\"numericId\":1249,\"slug\":\"sso-entra-id-scim\",\"nodes\":\"$undefined\"}\n174:{\"label\":\"Okta\",\"numericId\":1180,\"slug\":\"sso-okta-scim\",\"nodes\":\"$undefined\"}\n171:[\"$172\",\"$173\",\"$174\"]\n170:{\"label\":\"User \u0026 group provisioning\",\"numericId\":1290,\"slug\":\"user-group-provisioning\",\"items\":\"$40\",\"nodes\":\"$171\"}\n175:{\"label\":\"Custom OIDC providers\",\"numericId\":1240,\"slug\":\"sso-custom-oidc\",\"nodes\":\"$undefined\"}\n176:{\"label\":\"Enable 2FA and MFA\",\"numericId\":1075,\"slug\":\"multifactor-auth\",\"nodes\":\"$undefined\"}\n169:[\"$16a\",\"$16b\",\"$16c\",\"$16d\",\"$16e\",\"$16f\",\"$170\",\"$175\",\"$176\"]\n168:{\"label\":\"Set up an identity provider\",\"numericId\":1013,\"slug\":\"sso-providers\",\"items\":\"$38\",\"nodes\":\"$169\"}\n177:{\"label\":\"What is Tailscale?\",\"numericId\":1151,\"slug\":\"what-is-tailscale\",\"nodes\":\"$undefined\"}\n147:[\"$148\",\"$149\",\"$15f\",\"$168\",\"$177\"]\n140:{\"label\":\"Start\",\"slug\":\"start\",\"numericId\":1346,\"items\":\"$141\",\"nodes\":\"$147\"}\n17a:{\"label\":\"Manage Access\",\"group\":true,\"numericId\":1350,\"slug\":\"manage\",\"items\":\"$46\"}\n17b:{\"label\":\"Route Traffic\",\"group\":true,\"numericId\":1351,\"slug\":\"route\",\"items\":\"$7e\"}\n17c:{\"label\":\"Set Up Servers\",\"group\":true,\"numericId\":1352,\"slug\":\"servers"])</script><script>self.__next_f.push([1,"\",\"items\":\"$97\"}\n17d:{\"label\":\"Access \u0026 Share Services\",\"group\":true,\"numericId\":1354,\"slug\":\"share\",\"items\":\"$a4\"}\n17e:{\"label\":\"Share a web server\",\"group\":true,\"numericId\":1353,\"slug\":\"share-web-server\",\"items\":\"$aa\"}\n17f:{\"label\":\"Solutions\",\"group\":true,\"numericId\":1355,\"slug\":\"solutions\",\"items\":\"$b2\"}\n179:[\"$17a\",\"$17b\",\"$17c\",\"$17d\",\"$17e\",\"$17f\"]\n187:{\"label\":\"ACL syntax\",\"numericId\":1337,\"slug\":\"acl-syntax\",\"nodes\":\"$undefined\"}\n186:[\"$187\"]\n185:{\"label\":\"Manage ACLs\",\"numericId\":1018,\"slug\":\"acls\",\"items\":\"$4a\",\"nodes\":\"$186\"}\n188:{\"label\":\"Manage grants\",\"numericId\":1324,\"slug\":\"acl-grants\",\"nodes\":\"$undefined\"}\n189:{\"label\":\"Edit the tailnet policy file\",\"numericId\":1338,\"slug\":\"acl-edit\",\"nodes\":\"$undefined\"}\n18c:{\"label\":\"Manage ACLs with Bitbucket\",\"numericId\":1302,\"slug\":\"gitops-acls-bitbucket\",\"nodes\":\"$undefined\"}\n18d:{\"label\":\"Manage ACLs with GitHub\",\"numericId\":1306,\"slug\":\"gitops-acls-github\",\"nodes\":\"$undefined\"}\n18e:{\"label\":\"Manage ACLs with GitLab\",\"numericId\":1254,\"slug\":\"gitops-acls-gitlab\",\"nodes\":\"$undefined\"}\n18b:[\"$18c\",\"$18d\",\"$18e\"]\n18a:{\"label\":\"Manage ACLs with GitOps\",\"numericId\":1204,\"slug\":\"gitopcs-acls\",\"items\":\"$4f\",\"nodes\":\"$18b\"}\n184:[\"$185\",\"$188\",\"$189\",\"$18a\"]\n183:{\"label\":\"Manage access control\",\"numericId\":1393,\"slug\":\"access-control\",\"items\":\"$48\",\"nodes\":\"$184\"}\n191:{\"label\":\"Device posture for JIT access\",\"numericId\":1383,\"slug\":\"device-posture-for-jit\",\"nodes\":\"$undefined\"}\n194:{\"label\":\"ConductorOne\",\"numericId\":1208,\"slug\":\"jit-access-conductorone\",\"nodes\":\"$undefined\"}\n195:{\"label\":\"Opal\",\"numericId\":1209,\"slug\":\"jit-access-opal\",\"nodes\":\"$undefined\"}\n196:{\"label\":\"Sym\",\"numericId\":1206,\"slug\":\"jit-access-sym\",\"nodes\":\"$undefined\"}\n193:[\"$194\",\"$195\",\"$196\"]\n192:{\"label\":\"3rd party JIT access integrations\",\"numericId\":1374,\"slug\":\"jit-access-integrations\",\"items\":\"$57\",\"nodes\":\"$193\"}\n190:[\"$191\",\"$192\"]\n18f:{\"label\":\"Manage Just-in-time access\",\"numericId\":1443,\"slug\":\"just-in-time-access\",\"items\":\"$54\",\"nodes\":\"$190\"}\n199:{\"label\":\"Add a device\",\"numericId"])</script><script>self.__next_f.push([1,"\":1316,\"slug\":\"device-add\",\"nodes\":\"$undefined\"}\n19a:{\"label\":\"Device approval\",\"numericId\":1099,\"slug\":\"device-approval\",\"nodes\":\"$undefined\"}\n19b:{\"label\":\"Rename a device\",\"numericId\":1098,\"slug\":\"machine-names\",\"nodes\":\"$undefined\"}\n19c:{\"label\":\"Remove a device\",\"numericId\":1260,\"slug\":\"device-remove\",\"nodes\":\"$undefined\"}\n19f:{\"label\":\"Use Device Identity Collection\",\"numericId\":1326,\"slug\":\"device-identity\",\"nodes\":\"$undefined\"}\n1a0:{\"label\":\"CrowdStrike Falcon\",\"numericId\":1289,\"slug\":\"crowdstrike-zta\",\"nodes\":\"$undefined\"}\n1a1:{\"label\":\"SentinelOne\",\"numericId\":1390,\"slug\":\"sentinelone\",\"nodes\":\"$undefined\"}\n1a2:{\"label\":\"1Password XAM\",\"numericId\":1407,\"slug\":\"kolide\",\"nodes\":\"$undefined\"}\n1a3:{\"label\":\"Jamf Pro\",\"numericId\":1409,\"slug\":\"jamf-pro\",\"nodes\":\"$undefined\"}\n1a4:{\"label\":\"Microsoft Intune\",\"numericId\":1410,\"slug\":\"intune\",\"nodes\":\"$undefined\"}\n1a5:{\"label\":\"Kandji\",\"numericId\":1405,\"slug\":\"kandji\",\"nodes\":\"$undefined\"}\n19e:[\"$19f\",\"$1a0\",\"$1a1\",\"$1a2\",\"$1a3\",\"$1a4\",\"$1a5\"]\n19d:{\"label\":\"Device posture management\",\"numericId\":1288,\"slug\":\"device-posture\",\"items\":\"$62\",\"nodes\":\"$19e\"}\n1a6:{\"label\":\"Filter devices\",\"numericId\":1176,\"slug\":\"filter-devices\",\"nodes\":\"$undefined\"}\n1a7:{\"label\":\"Export list of devices\",\"numericId\":1228,\"slug\":\"export-device-list\",\"nodes\":\"$undefined\"}\n1a8:{\"label\":\"Use the web interface\",\"numericId\":1325,\"slug\":\"device-web-interface\",\"nodes\":\"$undefined\"}\n1a9:{\"label\":\"Add a device using a QR code\",\"numericId\":1336,\"slug\":\"device-add-qr-code\",\"nodes\":\"$undefined\"}\n198:[\"$199\",\"$19a\",\"$19b\",\"$19c\",\"$19d\",\"$1a6\",\"$1a7\",\"$1a8\",\"$1a9\"]\n197:{\"label\":\"Manage devices\",\"numericId\":1372,\"slug\":\"manage-devices\",\"items\":\"$5c\",\"nodes\":\"$198\"}\n1ae:{\"label\":\"Invite team members\",\"numericId\":1064,\"slug\":\"invite-team-members\",\"nodes\":\"$undefined\"}\n1af:{\"label\":\"Invite any user\",\"numericId\":1271,\"slug\":\"invite-any-user\",\"nodes\":\"$undefined\"}\n1b0:{\"label\":\"Use passkeys\",\"numericId\":1269,\"slug\":\"passkeys\",\"nodes\":\"$undefined\"}\n1ad:[\"$1ae\",\"$1af\",\"$1b0\"]\n1ac:{\"label\":\"Invite users\",\"ite"])</script><script>self.__next_f.push([1,"ms\":\"$71\",\"numericId\":1371,\"slug\":\"invite-users\",\"nodes\":\"$1ad\"}\n1b1:{\"label\":\"User approval\",\"numericId\":1239,\"slug\":\"user-approval\",\"nodes\":\"$undefined\"}\n1b2:{\"label\":\"User roles\",\"numericId\":1138,\"slug\":\"user-roles\",\"nodes\":\"$undefined\"}\n1b3:{\"label\":\"Change user roles\",\"numericId\":1171,\"slug\":\"changing-user-roles\",\"nodes\":\"$undefined\"}\n1b4:{\"label\":\"Remove users\",\"numericId\":1145,\"slug\":\"remove-team-members\",\"nodes\":\"$undefined\"}\n1b5:{\"label\":\"Fast user switching\",\"numericId\":1225,\"slug\":\"fast-user-switching\",\"nodes\":\"$undefined\"}\n1b6:{\"label\":\"Export list of users\",\"numericId\":1229,\"slug\":\"export-user-list\",\"nodes\":\"$undefined\"}\n1b7:{\"label\":\"Offboard users\",\"numericId\":1248,\"slug\":\"offboarding-users\",\"nodes\":\"$undefined\"}\n1b8:{\"label\":\"Admin console session timeout\",\"numericId\":1461,\"slug\":\"admin-console-session-timeout\",\"nodes\":\"$undefined\"}\n1ab:[\"$1ac\",\"$1b1\",\"$1b2\",\"$1b3\",\"$1b4\",\"$1b5\",\"$1b6\",\"$1b7\",\"$1b8\"]\n1aa:{\"label\":\"Manage users\",\"numericId\":1373,\"slug\":\"manage-users\",\"items\":\"$6f\",\"nodes\":\"$1ab\"}\n1b9:{\"label\":\"Tailnet lock\",\"numericId\":1226,\"slug\":\"tailnet-lock\",\"nodes\":\"$undefined\"}\n182:[\"$183\",\"$18f\",\"$197\",\"$1aa\",\"$1b9\"]\n181:{\"label\":\"Manage Access\",\"group\":true,\"numericId\":1350,\"slug\":\"manage\",\"items\":\"$46\",\"nodes\":\"$182\"}\n1be:{\"label\":\"Subnet router BGP advertisement\",\"numericId\":1298,\"slug\":\"subnet-bgp\",\"nodes\":\"$undefined\"}\n1bf:{\"label\":\"4via6 subnet routers\",\"numericId\":1201,\"slug\":\"4via6-subnets\",\"nodes\":\"$undefined\"}\n1c0:{\"label\":\"Site-to-site networking\",\"numericId\":1214,\"slug\":\"site-to-site\",\"nodes\":\"$undefined\"}\n1bd:[\"$1be\",\"$1bf\",\"$1c0\"]\n1bc:{\"label\":\"Set up a subnet router\",\"numericId\":1019,\"slug\":\"subnets\",\"items\":\"$80\",\"nodes\":\"$1bd\"}\n1c3:{\"label\":\"Use a Mullvad exit node\",\"numericId\":1258,\"slug\":\"mullvad-exit-nodes\",\"nodes\":\"$undefined\"}\n1c4:{\"label\":\"Recommended exit nodes\",\"numericId\":1392,\"slug\":\"auto-exit-nodes\",\"nodes\":\"$undefined\"}\n1c5:{\"label\":\"Mandatory exit nodes\",\"numericId\":1413,\"slug\":\"mandatory-exit-nodes\",\"nodes\":\"$undefined\"}\n1c2:[\"$1c3\",\"$1c4\",\"$1c5\"]\n1c1:{\"label\":"])</script><script>self.__next_f.push([1,"\"Set up an exit node\",\"numericId\":1103,\"slug\":\"exit-nodes\",\"items\":\"$85\",\"nodes\":\"$1c2\"}\n1c8:{\"label\":\"How app connectors work\",\"numericId\":1342,\"slug\":\"how-app-connectors-work\",\"nodes\":\"$undefined\"}\n1c9:{\"label\":\"Best practices for SaaS apps\",\"numericId\":1332,\"slug\":\"apps-best-practices\",\"nodes\":\"$undefined\"}\n1ca:{\"label\":\"Use preset apps\",\"numericId\":1339,\"slug\":\"preset-apps\",\"nodes\":\"$undefined\"}\n1c7:[\"$1c8\",\"$1c9\",\"$1ca\"]\n1c6:{\"label\":\"Set up an app connector\",\"numericId\":1281,\"slug\":\"app-connectors\",\"items\":\"$8a\",\"nodes\":\"$1c7\"}\n1cd:{\"label\":\"Configure Linux DNS\",\"numericId\":1188,\"slug\":\"linux-dns\",\"nodes\":\"$undefined\"}\n1ce:{\"label\":\"Why is resolv.conf being overwritten?\",\"numericId\":1235,\"slug\":\"resolv-conf\",\"nodes\":\"$undefined\"}\n1cf:{\"label\":\"Use NextDNS\",\"numericId\":1218,\"slug\":\"nextdns\",\"nodes\":\"$undefined\"}\n1d0:{\"label\":\"Use Control D\",\"numericId\":1403,\"slug\":\"control-d\",\"nodes\":\"$undefined\"}\n1d1:{\"label\":\"Use Unbound DNS in OPNsense\",\"numericId\":1299,\"slug\":\"opnsense-unbound\",\"nodes\":\"$undefined\"}\n1cc:[\"$1cd\",\"$1ce\",\"$1cf\",\"$1d0\",\"$1d1\"]\n1cb:{\"label\":\"Use DNS\",\"numericId\":1054,\"slug\":\"dns\",\"items\":\"$8f\",\"nodes\":\"$1cc\"}\n1d2:{\"label\":\"Set up MagicDNS\",\"numericId\":1081,\"slug\":\"magicdns\",\"nodes\":\"$undefined\"}\n1d3:{\"label\":\"Set up high availability\",\"numericId\":1115,\"slug\":\"high-availability\",\"nodes\":\"$undefined\"}\n1bb:[\"$1bc\",\"$1c1\",\"$1c6\",\"$1cb\",\"$1d2\",\"$1d3\"]\n1ba:{\"label\":\"Route Traffic\",\"group\":true,\"numericId\":1351,\"slug\":\"route\",\"items\":\"$7e\",\"nodes\":\"$1bb\"}\n1d6:{\"label\":\"Set up a server\",\"numericId\":1245,\"slug\":\"set-up-servers\",\"nodes\":\"$undefined\"}\n1d7:{\"label\":\"Use tags\",\"numericId\":1068,\"slug\":\"tags\",\"nodes\":\"$undefined\"}\n1d8:{\"label\":\"Install Tailscale with cloud-init\",\"numericId\":1293,\"slug\":\"cloud-init\",\"nodes\":\"$undefined\"}\n1db:{\"label\":\"Automate key expiry\",\"numericId\":1028,\"slug\":\"key-expiry\",\"nodes\":\"$undefined\"}\n1da:[\"$1db\"]\n1d9:{\"label\":\"Use auth keys\",\"numericId\":1085,\"slug\":\"auth-keys\",\"items\":\"$9c\",\"nodes\":\"$1da\"}\n1de:{\"label\":\"Use Tailscale SSH Console\",\"numericId\":1216,\"slug\":\"tailsca"])</script><script>self.__next_f.push([1,"le-ssh-console\",\"nodes\":\"$undefined\"}\n1dd:[\"$1de\"]\n1dc:{\"label\":\"Use Tailscale SSH\",\"numericId\":1193,\"slug\":\"tailscale-ssh\",\"items\":\"$9f\",\"nodes\":\"$1dd\"}\n1df:{\"label\":\"Set up HTTPS certificates\",\"numericId\":1153,\"slug\":\"enabling-https\",\"nodes\":\"$undefined\"}\n1e0:{\"label\":\"Run an ephemeral node\",\"numericId\":1111,\"slug\":\"ephemeral-nodes\",\"nodes\":\"$undefined\"}\n1e1:{\"label\":\"Run unattended\",\"numericId\":1088,\"slug\":\"run-unattended\",\"nodes\":\"$undefined\"}\n1d5:[\"$1d6\",\"$1d7\",\"$1d8\",\"$1d9\",\"$1dc\",\"$1df\",\"$1e0\",\"$1e1\"]\n1d4:{\"label\":\"Set Up Servers\",\"group\":true,\"numericId\":1352,\"slug\":\"servers\",\"items\":\"$97\",\"nodes\":\"$1d5\"}\n1e4:{\"label\":\"View services\",\"numericId\":1100,\"slug\":\"services\",\"nodes\":\"$undefined\"}\n1e5:{\"label\":\"Share nodes\",\"numericId\":1084,\"slug\":\"sharing\",\"nodes\":\"$undefined\"}\n1e8:{\"label\":\"Taildrop with NAS\",\"numericId\":1418,\"slug\":\"taildrop-nas\",\"nodes\":\"$undefined\"}\n1e7:[\"$1e8\"]\n1e6:{\"label\":\"Use Taildrop\",\"numericId\":1106,\"slug\":\"taildrop\",\"items\":\"$a8\",\"nodes\":\"$1e7\"}\n1e3:[\"$1e4\",\"$1e5\",\"$1e6\"]\n1e2:{\"label\":\"Access \u0026 Share Services\",\"group\":true,\"numericId\":1354,\"slug\":\"share\",\"items\":\"$a4\",\"nodes\":\"$1e3\"}\n1ed:{\"label\":\"Examples\",\"numericId\":1247,\"slug\":\"funnel-examples\",\"nodes\":\"$undefined\"}\n1ee:{\"label\":\"Funnel vs. sharing\",\"numericId\":1464,\"slug\":\"funnel-vs-sharing\",\"nodes\":\"$undefined\"}\n1ec:[\"$1ed\",\"$1ee\"]\n1eb:{\"label\":\"Tailscale Funnel\",\"numericId\":1223,\"slug\":\"funnel\",\"items\":\"$ac\",\"nodes\":\"$1ec\"}\n1f1:{\"label\":\"Examples\",\"numericId\":1313,\"slug\":\"serve-examples\",\"nodes\":\"$undefined\"}\n1f0:[\"$1f1\"]\n1ef:{\"label\":\"Tailscale Serve\",\"numericId\":1312,\"slug\":\"serve\",\"items\":\"$b0\",\"nodes\":\"$1f0\"}\n1ea:[\"$1eb\",\"$1ef\"]\n1e9:{\"label\":\"Share a web server\",\"group\":true,\"numericId\":1353,\"slug\":\"share-web-server\",\"items\":\"$aa\",\"nodes\":\"$1ea\"}\n1f4:{\"label\":\"Code from your iPad\",\"numericId\":1166,\"slug\":\"vscode-ipad\",\"nodes\":\"$undefined\"}\n1f5:{\"label\":\"Lock down a server\",\"numericId\":1077,\"slug\":\"secure-server-ubuntu\",\"nodes\":\"$undefined\"}\n1f6:{\"label\":\"Access a PiKVM\",\"numericId\":1292,\"slug\":\"pikvm\",\"nodes\":\"$undefined\"}"])</script><script>self.__next_f.push([1,"\n1f7:{\"label\":\"Run a Pi-hole\",\"numericId\":1114,\"slug\":\"pi-hole\",\"nodes\":\"$undefined\"}\n1f8:{\"label\":\"Secure external services\",\"numericId\":1059,\"slug\":\"ip-blocklist-relays\",\"nodes\":\"$undefined\"}\n1fb:{\"label\":\"Device posture for JIT access\",\"numericId\":1383,\"slug\":\"device-posture-for-jit\",\"nodes\":\"$undefined\"}\n1fe:{\"label\":\"ConductorOne\",\"numericId\":1208,\"slug\":\"jit-access-conductorone\",\"nodes\":\"$undefined\"}\n1ff:{\"label\":\"Opal\",\"numericId\":1209,\"slug\":\"jit-access-opal\",\"nodes\":\"$undefined\"}\n200:{\"label\":\"Sym\",\"numericId\":1206,\"slug\":\"jit-access-sym\",\"nodes\":\"$undefined\"}\n1fd:[\"$1fe\",\"$1ff\",\"$200\"]\n1fc:{\"label\":\"3rd party JIT access integrations\",\"numericId\":1374,\"slug\":\"jit-access-integrations\",\"items\":\"$bc\",\"nodes\":\"$1fd\"}\n1fa:[\"$1fb\",\"$1fc\"]\n1f9:{\"label\":\"Just-in-time access\",\"numericId\":1443,\"slug\":\"just-in-time-access\",\"items\":\"$b9\",\"nodes\":\"$1fa\"}\n205:{\"label\":\"Terraform\",\"numericId\":1210,\"slug\":\"terraform-provider\",\"nodes\":\"$undefined\"}\n206:{\"label\":\"Pulumi\",\"numericId\":1211,\"slug\":\"pulumi-provider\",\"nodes\":\"$undefined\"}\n204:[\"$205\",\"$206\"]\n203:{\"label\":\"Infrastructure as code\",\"numericId\":1370,\"slug\":\"infrastructure-as-code\",\"items\":\"$c3\",\"nodes\":\"$204\"}\n207:{\"label\":\"macOS and iOS shortcuts\",\"numericId\":1233,\"slug\":\"mac-ios-shortcuts\",\"nodes\":\"$undefined\"}\n202:[\"$203\",\"$207\"]\n201:{\"label\":\"Automation\",\"numericId\":1430,\"slug\":\"automations\",\"items\":\"$c1\",\"nodes\":\"$202\"}\n1f3:[\"$1f4\",\"$1f5\",\"$1f6\",\"$1f7\",\"$1f8\",\"$1f9\",\"$201\"]\n1f2:{\"label\":\"Solutions\",\"group\":true,\"numericId\":1355,\"slug\":\"solutions\",\"items\":\"$b2\",\"nodes\":\"$1f3\"}\n180:[\"$181\",\"$1ba\",\"$1d4\",\"$1e2\",\"$1e9\",\"$1f2\"]\n178:{\"label\":\"How-to Guides\",\"numericId\":1348,\"slug\":\"guides\",\"items\":\"$179\",\"nodes\":\"$180\"}\n20a:{\"label\":\"Cloud servers\",\"numericId\":\"integrations\",\"slug\":\"cloud-server\",\"items\":\"$c7\"}\n20b:{\"label\":\"Containers and virtualization\",\"numericId\":1358,\"slug\":\"containers-and-virtualization\",\"items\":\"$d0\"}\n20c:{\"label\":\"Serverless apps\",\"numericId\":1364,\"slug\":\"serverless\",\"items\":\"$e2\"}\n20d:{\"label\":\"Databases\",\"numericId\":1359,\"slug\":\"database\""])</script><script>self.__next_f.push([1,",\"items\":\"$e8\"}\n20e:{\"label\":\"Remote environments\",\"items\":\"$eb\",\"numericId\":1363,\"slug\":\"remote-code\"}\n20f:{\"label\":\"Developer tools\",\"numericId\":1360,\"slug\":\"developer-tools\",\"items\":\"$f2\"}\n210:{\"label\":\"Firewalls\",\"numericId\":1361,\"slug\":\"firewall\",\"items\":\"$f7\"}\n211:{\"label\":\"Web servers\",\"numericId\":1365,\"slug\":\"webserver\",\"items\":\"$fd\"}\n212:{\"label\":\"NAS\",\"numericId\":1307,\"slug\":\"nas\",\"items\":\"$100\"}\n209:[\"$20a\",\"$20b\",\"$20c\",\"$20d\",\"$20e\",\"$20f\",\"$210\",\"$211\",\"$212\"]\n216:{\"label\":\"AWS Lightsail\",\"numericId\":1128,\"slug\":\"aws-lightsail\",\"nodes\":\"$undefined\"}\n217:{\"label\":\"AWS VPC\",\"numericId\":1021,\"slug\":\"install-aws\",\"nodes\":\"$undefined\"}\n218:{\"label\":\"Azure App Service\",\"numericId\":1126,\"slug\":\"azure-app-service\",\"nodes\":\"$undefined\"}\n219:{\"label\":\"Azure Linux VMs\",\"numericId\":1142,\"slug\":\"cloud-azure-linux\",\"nodes\":\"$undefined\"}\n21a:{\"label\":\"Azure Windows VMs\",\"numericId\":1143,\"slug\":\"cloud-azure-windows\",\"nodes\":\"$undefined\"}\n21b:{\"label\":\"Google Compute Engine VMs\",\"numericId\":1147,\"slug\":\"cloud-gce\",\"nodes\":\"$undefined\"}\n21c:{\"label\":\"Hetzner VMs\",\"numericId\":1150,\"slug\":\"cloud-hetzner\",\"nodes\":\"$undefined\"}\n21d:{\"label\":\"Oracle Cloud VMs\",\"numericId\":1149,\"slug\":\"cloud-oracle\",\"nodes\":\"$undefined\"}\n215:[\"$216\",\"$217\",\"$218\",\"$219\",\"$21a\",\"$21b\",\"$21c\",\"$21d\"]\n214:{\"label\":\"Cloud servers\",\"numericId\":\"integrations\",\"slug\":\"cloud-server\",\"items\":\"$c7\",\"nodes\":\"$215\"}\n220:{\"label\":\"Docker\",\"numericId\":1282,\"slug\":\"docker\",\"nodes\":\"$undefined\"}\n225:{\"label\":\"API server proxy\",\"numericId\":1437,\"slug\":\"kubernetes-operator-api-server-proxy\",\"nodes\":\"$undefined\"}\n226:{\"label\":\"Egress\",\"numericId\":1438,\"slug\":\"kubernetes-operator-cluster-egress\",\"nodes\":\"$undefined\"}\n227:{\"label\":\"Ingress\",\"numericId\":1439,\"slug\":\"kubernetes-operator-cluster-ingress\",\"nodes\":\"$undefined\"}\n228:{\"label\":\"Cross cluster\",\"numericId\":1442,\"slug\":\"kubernetes-operator-cross-cluster\",\"nodes\":\"$undefined\"}\n229:{\"label\":\"Cloud services\",\"numericId\":1440,\"slug\":\"kubernetes-operator-cloud-services\",\"nodes\":\"$undefined\"}\n22a:{\"label\":\"Sub"])</script><script>self.__next_f.push([1,"net routers and exit nodes\",\"numericId\":1441,\"slug\":\"kubernetes-operator-connector\",\"nodes\":\"$undefined\"}\n22b:{\"label\":\"App connector\",\"numericId\":1517,\"slug\":\"kubernetes-operator-app-connector\",\"nodes\":\"$undefined\"}\n22c:{\"label\":\"Recorder nodes\",\"numericId\":1484,\"slug\":\"kubernetes-operator-deploying-tsrecorder\",\"nodes\":\"$undefined\"}\n22d:{\"label\":\"Operator resource customization\",\"numericId\":1445,\"slug\":\"kubernetes-operator-customization\",\"nodes\":\"$undefined\"}\n22e:{\"label\":\"Troubleshooting\",\"numericId\":1446,\"slug\":\"kubernetes-operator-troubleshooting\",\"nodes\":\"$undefined\"}\n224:[\"$225\",\"$226\",\"$227\",\"$228\",\"$229\",\"$22a\",\"$22b\",\"$22c\",\"$22d\",\"$22e\"]\n223:{\"label\":\"Kubernetes operator\",\"numericId\":1236,\"slug\":\"kubernetes-operator\",\"items\":\"$d5\",\"nodes\":\"$224\"}\n222:[\"$223\"]\n221:{\"label\":\"Kubernetes\",\"items\":\"$d3\",\"numericId\":1185,\"slug\":\"kubernetes\",\"nodes\":\"$222\"}\n22f:{\"label\":\"LXC containers\",\"numericId\":1130,\"slug\":\"lxc-unprivileged\",\"nodes\":\"$undefined\"}\n230:{\"label\":\"Proxmox\",\"numericId\":1133,\"slug\":\"proxmox\",\"nodes\":\"$undefined\"}\n21f:[\"$220\",\"$221\",\"$22f\",\"$230\"]\n21e:{\"label\":\"Containers and virtualization\",\"numericId\":1358,\"slug\":\"containers-and-virtualization\",\"items\":\"$d0\",\"nodes\":\"$21f\"}\n233:{\"label\":\"AWS App Runner\",\"numericId\":1127,\"slug\":\"aws-app-runner\",\"nodes\":\"$undefined\"}\n234:{\"label\":\"AWS Lambda\",\"numericId\":1113,\"slug\":\"aws-lambda\",\"nodes\":\"$undefined\"}\n235:{\"label\":\"Fly.io\",\"numericId\":1132,\"slug\":\"flydotio\",\"nodes\":\"$undefined\"}\n236:{\"label\":\"Google Cloud Run\",\"numericId\":1108,\"slug\":\"cloudrun\",\"nodes\":\"$undefined\"}\n237:{\"label\":\"Heroku\",\"numericId\":1107,\"slug\":\"heroku\",\"nodes\":\"$undefined\"}\n232:[\"$233\",\"$234\",\"$235\",\"$236\",\"$237\"]\n231:{\"label\":\"Serverless apps\",\"numericId\":1364,\"slug\":\"serverless\",\"items\":\"$e2\",\"nodes\":\"$232\"}\n23a:{\"label\":\"AWS RDS\",\"numericId\":1141,\"slug\":\"aws-rds\",\"nodes\":\"$undefined\"}\n23b:{\"label\":\"Crunchy Bridge\",\"numericId\":1231,\"slug\":\"crunchy-bridge\",\"nodes\":\"$undefined\"}\n239:[\"$23a\",\"$23b\"]\n238:{\"label\":\"Databases\",\"numericId\":1359,\"slug\":\"database\",\"items\":\"$e8\",\"nodes\":"])</script><script>self.__next_f.push([1,"\"$239\"}\n23e:{\"label\":\"code-server\",\"numericId\":1164,\"slug\":\"codeserver\",\"nodes\":\"$undefined\"}\n23f:{\"label\":\"Coder\",\"numericId\":1163,\"slug\":\"coder\",\"nodes\":\"$undefined\"}\n240:{\"label\":\"CodeSandbox\",\"numericId\":1221,\"slug\":\"codesandbox\",\"nodes\":\"$undefined\"}\n241:{\"label\":\"GitHub Codespaces\",\"numericId\":1160,\"slug\":\"github-codespaces\",\"nodes\":\"$undefined\"}\n242:{\"label\":\"Gitpod\",\"numericId\":1161,\"slug\":\"gitpod\",\"nodes\":\"$undefined\"}\n243:{\"label\":\"OpenVSCode\",\"numericId\":1162,\"slug\":\"openvscode\",\"nodes\":\"$undefined\"}\n23d:[\"$23e\",\"$23f\",\"$240\",\"$241\",\"$242\",\"$243\"]\n23c:{\"label\":\"Remote environments\",\"items\":\"$eb\",\"numericId\":1363,\"slug\":\"remote-code\",\"nodes\":\"$23d\"}\n246:{\"label\":\"Visual Studio Code Extension\",\"numericId\":1265,\"slug\":\"vscode-extension\",\"nodes\":\"$undefined\"}\n247:{\"label\":\"Tailscale GitHub Action\",\"numericId\":1276,\"slug\":\"tailscale-github-action\",\"nodes\":\"$undefined\"}\n248:{\"label\":\"Tailscale with GitLab CI/CD\",\"numericId\":1287,\"slug\":\"tailscale-gitlab-runner\",\"nodes\":\"$undefined\"}\n249:{\"label\":\"Docker Desktop\",\"numericId\":1184,\"slug\":\"docker-desktop\",\"nodes\":\"$undefined\"}\n245:[\"$246\",\"$247\",\"$248\",\"$249\"]\n244:{\"label\":\"Developer tools\",\"numericId\":1360,\"slug\":\"developer-tools\",\"items\":\"$f2\",\"nodes\":\"$245\"}\n24c:{\"label\":\"Overview\",\"numericId\":1181,\"slug\":\"firewalls\",\"nodes\":\"$undefined\"}\n24d:{\"label\":\"OPNsense\",\"numericId\":1097,\"slug\":\"install-opnsense\",\"nodes\":\"$undefined\"}\n24e:{\"label\":\"Palo Alto Networks\",\"numericId\":1333,\"slug\":\"firewall-palo-alto-networks\",\"nodes\":\"$undefined\"}\n24f:{\"label\":\"pfSense\",\"numericId\":1146,\"slug\":\"pfsense\",\"nodes\":\"$undefined\"}\n250:{\"label\":\"Firewall mode\",\"numericId\":1294,\"slug\":\"firewall-mode\",\"nodes\":\"$undefined\"}\n24b:[\"$24c\",\"$24d\",\"$24e\",\"$24f\",\"$250\"]\n24a:{\"label\":\"Firewalls\",\"numericId\":1361,\"slug\":\"firewall\",\"items\":\"$f7\",\"nodes\":\"$24b\"}\n253:{\"label\":\"Caddy Server\",\"numericId\":1190,\"slug\":\"caddy-certificates\",\"nodes\":\"$undefined\"}\n254:{\"label\":\"Traefik Proxy\",\"numericId\":1234,\"slug\":\"traefik-certificates\",\"nodes\":\"$undefined\"}\n252:[\"$253\",\"$254\"]\n251:{\"label\":\"Web se"])</script><script>self.__next_f.push([1,"rvers\",\"numericId\":1365,\"slug\":\"webserver\",\"items\":\"$fd\",\"nodes\":\"$252\"}\n257:{\"label\":\"Synology\",\"numericId\":1131,\"slug\":\"synology\",\"nodes\":\"$undefined\"}\n258:{\"label\":\"QNAP\",\"numericId\":1273,\"slug\":\"qnap\",\"nodes\":\"$undefined\"}\n259:{\"label\":\"TrueNAS SCALE\",\"numericId\":1483,\"slug\":\"truenas-scale\",\"nodes\":\"$undefined\"}\n25a:{\"label\":\"Unraid\",\"numericId\":1478,\"slug\":\"unraid\",\"nodes\":\"$undefined\"}\n256:[\"$257\",\"$258\",\"$259\",\"$25a\"]\n255:{\"label\":\"NAS\",\"numericId\":1307,\"slug\":\"nas\",\"items\":\"$100\",\"nodes\":\"$256\"}\n213:[\"$214\",\"$21e\",\"$231\",\"$238\",\"$23c\",\"$244\",\"$24a\",\"$251\",\"$255\"]\n208:{\"label\":\"Integrations\",\"numericId\":1356,\"items\":\"$209\",\"slug\":\"integrations\",\"nodes\":\"$213\"}\n25b:{\"label\":\"FAQ\",\"numericId\":1366,\"slug\":\"faq\",\"nodes\":\"$undefined\"}\n25e:{\"label\":\"Logging overview\",\"numericId\":1011,\"slug\":\"log-mesh-traffic\"}\n25f:{\"label\":\"Configuration audit logging\",\"numericId\":1203,\"slug\":\"audit-logging\"}\n260:{\"label\":\"Network flow logs\",\"numericId\":1219,\"slug\":\"network-flow-logs\"}\n261:{\"label\":\"Log streaming\",\"numericId\":1255,\"slug\":\"log-streaming\"}\n262:{\"label\":\"SSH session recording\",\"numericId\":1246,\"slug\":\"tailscale-ssh-session-recording\",\"items\":\"$105\"}\n263:{\"label\":\"Client metrics\",\"numericId\":1482,\"slug\":\"client-metrics\"}\n264:{\"label\":\"Webhooks\",\"numericId\":1213,\"slug\":\"webhooks\"}\n25d:[\"$25e\",\"$25f\",\"$260\",\"$261\",\"$262\",\"$263\",\"$264\"]\n266:{\"label\":\"Logging overview\",\"numericId\":1011,\"slug\":\"log-mesh-traffic\",\"nodes\":\"$undefined\"}\n267:{\"label\":\"Configuration audit logging\",\"numericId\":1203,\"slug\":\"audit-logging\",\"nodes\":\"$undefined\"}\n268:{\"label\":\"Network flow logs\",\"numericId\":1219,\"slug\":\"network-flow-logs\",\"nodes\":\"$undefined\"}\n269:{\"label\":\"Log streaming\",\"numericId\":1255,\"slug\":\"log-streaming\",\"nodes\":\"$undefined\"}\n26c:{\"label\":\"Send recordings to S3\",\"numericId\":1263,\"slug\":\"session-recording-s3\",\"nodes\":\"$undefined\"}\n26d:{\"label\":\"Deploy multiple recorder nodes\",\"numericId\":1262,\"slug\":\"multiple-recorder-nodes\",\"nodes\":\"$undefined\"}\n26b:[\"$26c\",\"$26d\"]\n26a:{\"label\":\"SSH session recording\",\"numericId\":1246,\"slug"])</script><script>self.__next_f.push([1,"\":\"tailscale-ssh-session-recording\",\"items\":\"$105\",\"nodes\":\"$26b\"}\n26e:{\"label\":\"Client metrics\",\"numericId\":1482,\"slug\":\"client-metrics\",\"nodes\":\"$undefined\"}\n26f:{\"label\":\"Webhooks\",\"numericId\":1213,\"slug\":\"webhooks\",\"nodes\":\"$undefined\"}\n265:[\"$266\",\"$267\",\"$268\",\"$269\",\"$26a\",\"$26e\",\"$26f\"]\n25c:{\"label\":\"Logging, Streaming, and Events\",\"numericId\":1349,\"slug\":\"log-events\",\"items\":\"$25d\",\"nodes\":\"$265\"}\n272:{\"label\":\"Contact preferences\",\"numericId\":1224,\"slug\":\"contract-preferences\"}\n273:{\"label\":\"Pricing and billing\",\"numericId\":1375,\"slug\":\"pb-lp\",\"items\":\"$108\"}\n274:{\"label\":\"Tailnet name\",\"numericId\":1217,\"slug\":\"tailnet-name\"}\n275:{\"label\":\"Domain ownership\",\"numericId\":1259,\"slug\":\"domain-ownership\"}\n271:[\"$272\",\"$273\",\"$274\",\"$275\"]\n277:{\"label\":\"Contact preferences\",\"numericId\":1224,\"slug\":\"contract-preferences\",\"nodes\":\"$undefined\"}\n27a:{\"label\":\"Pricing ↗\",\"href\":\"/pricing\",\"nodes\":\"$undefined\"}\n27b:{\"label\":\"Pricing \u0026 Plans FAQ\",\"numericId\":1251,\"slug\":\"pricing-faq\",\"nodes\":\"$undefined\"}\n27c:{\"label\":\"Free plans and discounts\",\"numericId\":1154,\"slug\":\"free-plans-discounts\",\"nodes\":\"$undefined\"}\n27d:{\"label\":\"Modify billing\",\"numericId\":1182,\"slug\":\"billing-information\",\"nodes\":\"$undefined\"}\n27e:{\"label\":\"Tailscale on Azure Marketplace\",\"numericId\":1220,\"slug\":\"azure-marketplace\",\"nodes\":\"$undefined\"}\n279:[\"$27a\",\"$27b\",\"$27c\",\"$27d\",\"$27e\"]\n278:{\"label\":\"Pricing and billing\",\"numericId\":1375,\"slug\":\"pb-lp\",\"items\":\"$108\",\"nodes\":\"$279\"}\n27f:{\"label\":\"Tailnet name\",\"numericId\":1217,\"slug\":\"tailnet-name\",\"nodes\":\"$undefined\"}\n280:{\"label\":\"Domain ownership\",\"numericId\":1259,\"slug\":\"domain-ownership\",\"nodes\":\"$undefined\"}\n276:[\"$277\",\"$278\",\"$27f\",\"$280\"]\n270:{\"label\":\"Manage Your Organization\",\"numericId\":1431,\"slug\":\"manage-account\",\"items\":\"$271\",\"nodes\":\"$276\"}\n283:{\"label\":\"ACL syntax\",\"numericId\":1337,\"slug\":\"acl-syntax\",\"items\":\"$10e\"}\n284:{\"label\":\"ACL samples\",\"numericId\":1192,\"slug\":\"acl-samples\"}\n285:{\"label\":\"CLI\",\"numericId\":1080,\"slug\":\"cli\",\"items\":\"$112\"}\n286:{\"label\":\"API\",\"numericI"])</script><script>self.__next_f.push([1,"d\":1101,\"slug\":\"api\",\"items\":\"$118\"}\n287:{\"label\":\"Key prefixes\",\"numericId\":1277,\"slug\":\"key-prefixes\"}\n288:{\"label\":\"Production best practices\",\"numericId\":1300,\"slug\":\"production-best-practices\",\"items\":\"$11e\"}\n289:{\"label\":\"Shared responsibility\",\"numericId\":1212,\"slug\":\"shared-responsibility\"}\n28a:{\"label\":\"Technical overviews\",\"numericId\":1376,\"slug\":\"tech-overviews\",\"items\":\"$128\"}\n28b:{\"label\":\"Terminology and concepts\",\"numericId\":1155,\"slug\":\"terminology-and-concepts\"}\n28c:{\"label\":\"GitHub ↗\",\"href\":\"https://github.com/tailscale/tailscale\"}\n282:[\"$283\",\"$284\",\"$285\",\"$286\",\"$287\",\"$288\",\"$289\",\"$28a\",\"$28b\",\"$28c\"]\n290:{\"label\":\"Grants\",\"numericId\":1324,\"slug\":\"acl-grants\",\"nodes\":\"$undefined\"}\n291:{\"label\":\"IP sets\",\"numericId\":1387,\"slug\":\"ipsets\",\"nodes\":\"$undefined\"}\n292:{\"label\":\"Via in grants\",\"numericId\":1378,\"slug\":\"via\",\"nodes\":\"$undefined\"}\n28f:[\"$290\",\"$291\",\"$292\"]\n28e:{\"label\":\"ACL syntax\",\"numericId\":1337,\"slug\":\"acl-syntax\",\"items\":\"$10e\",\"nodes\":\"$28f\"}\n293:{\"label\":\"ACL samples\",\"numericId\":1192,\"slug\":\"acl-samples\",\"nodes\":\"$undefined\"}\n296:{\"label\":\"tailscale funnel\",\"numericId\":1311,\"slug\":\"tailscale-funnel\",\"nodes\":\"$undefined\"}\n297:{\"label\":\"tailscale lock\",\"numericId\":1243,\"slug\":\"tailscale-lock\",\"nodes\":\"$undefined\"}\n298:{\"label\":\"tailscale serve\",\"numericId\":1242,\"slug\":\"tailscale-serve\",\"nodes\":\"$undefined\"}\n299:{\"label\":\"tailscale up\",\"numericId\":1241,\"slug\":\"tailscale-up\",\"nodes\":\"$undefined\"}\n29a:{\"label\":\"tailscaled\",\"numericId\":1278,\"slug\":\"tailscaled\",\"nodes\":\"$undefined\"}\n295:[\"$296\",\"$297\",\"$298\",\"$299\",\"$29a\"]\n294:{\"label\":\"CLI\",\"numericId\":1080,\"slug\":\"cli\",\"items\":\"$112\",\"nodes\":\"$295\"}\n29d:{\"label\":\"OAuth clients\",\"numericId\":1215,\"slug\":\"oauth-clients\",\"nodes\":\"$undefined\"}\n2a0:{\"label\":\"Hello tsnet\",\"numericId\":1521,\"slug\":\"hello-tsnet\",\"nodes\":\"$undefined\"}\n2a1:{\"label\":\"tsnet.Server\",\"numericId\":1522,\"slug\":\"tsnet-server\",\"nodes\":\"$undefined\"}\n29f:[\"$2a0\",\"$2a1\"]\n29e:{\"label\":\"tsnet for Go programs\",\"numericId\":1244,\"slug\":\"tsnet\",\"items\":\"$11b\",\"nodes\":\"$29f\""])</script><script>self.__next_f.push([1,"}\n29c:[\"$29d\",\"$29e\"]\n29b:{\"label\":\"API\",\"numericId\":1101,\"slug\":\"api\",\"items\":\"$118\",\"nodes\":\"$29c\"}\n2a2:{\"label\":\"Key prefixes\",\"numericId\":1277,\"slug\":\"key-prefixes\",\"nodes\":\"$undefined\"}\n2a5:{\"label\":\"Deployment checklist\",\"numericId\":1344,\"slug\":\"deployment-checklist\",\"nodes\":\"$undefined\"}\n2a8:{\"label\":\"Key and secret management\",\"numericId\":1252,\"slug\":\"key-secret-management\",\"nodes\":\"$undefined\"}\n2a9:{\"label\":\"Secret scanning\",\"numericId\":1301,\"slug\":\"secret-scanning\",\"nodes\":\"$undefined\"}\n2aa:{\"label\":\"Admin with passkey\",\"numericId\":1341,\"slug\":\"tailnet-passkey-admin\",\"nodes\":\"$undefined\"}\n2a7:[\"$2a8\",\"$2a9\",\"$2aa\"]\n2a6:{\"label\":\"Security best practices\",\"items\":\"$121\",\"numericId\":1196,\"slug\":\"security-hardening\",\"nodes\":\"$2a7\"}\n2ab:{\"label\":\"Performance best practices\",\"numericId\":1320,\"slug\":\"performance-best-practices\",\"nodes\":\"$undefined\"}\n2ac:{\"label\":\"AWS reference architecture\",\"numericId\":1296,\"slug\":\"aws-reference-architecture\",\"nodes\":\"$undefined\"}\n2ad:{\"label\":\"Azure reference architecture\",\"numericId\":1314,\"slug\":\"azure-reference-architecture\",\"nodes\":\"$undefined\"}\n2a4:[\"$2a5\",\"$2a6\",\"$2ab\",\"$2ac\",\"$2ad\"]\n2a3:{\"label\":\"Production best practices\",\"numericId\":1300,\"slug\":\"production-best-practices\",\"items\":\"$11e\",\"nodes\":\"$2a4\"}\n2ae:{\"label\":\"Shared responsibility\",\"numericId\":1212,\"slug\":\"shared-responsibility\",\"nodes\":\"$undefined\"}\n2b1:{\"label\":\"About WireGuard\",\"numericId\":1035,\"slug\":\"wireguard\",\"nodes\":\"$undefined\"}\n2b2:{\"label\":\"Tailscale encryption\",\"numericId\":1504,\"slug\":\"encryption\",\"nodes\":\"$undefined\"}\n2b3:{\"label\":\"Control and data planes\",\"numericId\":1508,\"slug\":\"control-data-planes\",\"nodes\":\"$undefined\"}\n2b4:{\"label\":\"Direct vs relayed connections\",\"numericId\":1257,\"slug\":\"connection-types\",\"nodes\":\"$undefined\"}\n2b5:{\"label\":\"Device connectivity\",\"numericId\":1411,\"slug\":\"device-connectivity\",\"nodes\":\"$undefined\"}\n2b6:{\"label\":\"How Tailscale assigns IP addresses\",\"numericId\":1033,\"slug\":\"ip-and-dns-addresses\",\"nodes\":\"$undefined\"}\n2b7:{\"label\":\"Tailscale and the OSI model\",\"numeri"])</script><script>self.__next_f.push([1,"cId\":1456,\"slug\":\"osi\",\"nodes\":\"$undefined\"}\n2b8:{\"label\":\"Smaller binaries for embedded devices\",\"numericId\":1207,\"slug\":\"small-tailscale\",\"nodes\":\"$undefined\"}\n2b9:{\"label\":\"Kernel vs. netstack subnet routing \u0026 exit nodes\",\"numericId\":1177,\"slug\":\"kernel-vs-userspace-routers\",\"nodes\":\"$undefined\"}\n2ba:{\"label\":\"Userspace networking mode\",\"numericId\":1112,\"slug\":\"userspace-networking\",\"nodes\":\"$undefined\"}\n2bb:{\"label\":\"Node keys\",\"numericId\":1010,\"slug\":\"node-keys\",\"nodes\":\"$undefined\"}\n2bc:{\"label\":\"Protect SSH Servers\",\"numericId\":1009,\"slug\":\"protect-ssh-servers\",\"nodes\":\"$undefined\"}\n2bd:{\"label\":\"Tailnet lock white paper\",\"numericId\":1230,\"slug\":\"tailnet-lock-whitepaper\",\"nodes\":\"$undefined\"}\n2be:{\"label\":\"DERP servers\",\"numericId\":1232,\"slug\":\"derp-servers\",\"nodes\":\"$undefined\"}\n2bf:{\"label\":\"Zero Trust Networking (ZTN)\",\"numericId\":1123,\"slug\":\"zero-trust\",\"nodes\":\"$undefined\"}\n2c0:{\"label\":\"IPv4 vs. IPv6 FAQ\",\"numericId\":1134,\"slug\":\"ipv6-faq\",\"nodes\":\"$undefined\"}\n2b0:[\"$2b1\",\"$2b2\",\"$2b3\",\"$2b4\",\"$2b5\",\"$2b6\",\"$2b7\",\"$2b8\",\"$2b9\",\"$2ba\",\"$2bb\",\"$2bc\",\"$2bd\",\"$2be\",\"$2bf\",\"$2c0\"]\n2af:{\"label\":\"Technical overviews\",\"numericId\":1376,\"slug\":\"tech-overviews\",\"items\":\"$128\",\"nodes\":\"$2b0\"}\n2c1:{\"label\":\"Terminology and concepts\",\"numericId\":1155,\"slug\":\"terminology-and-concepts\",\"nodes\":\"$undefined\"}\n2c2:{\"label\":\"GitHub ↗\",\"href\":\"https://github.com/tailscale/tailscale\",\"nodes\":\"$undefined\"}\n28d:[\"$28e\",\"$293\",\"$294\",\"$29b\",\"$2a2\",\"$2a3\",\"$2ae\",\"$2af\",\"$2c1\",\"$2c2\"]\n281:{\"label\":\"Reference\",\"numericId\":1367,\"slug\":\"reference\",\"items\":\"$282\",\"nodes\":\"$28d\"}\n2c5:{\"label\":\"Troubleshooting\",\"numericId\":1023,\"slug\":\"troubleshooting\",\"items\":\"$139\"}\n2c6:{\"label\":\"Support options\",\"numericId\":1250,\"slug\":\"support-options\"}\n2c7:{\"label\":\"Contact support ↗\",\"href\":\"/contact/support\"}\n2c8:{\"label\":\"Generate a bug report\",\"numericId\":1227,\"slug\":\"bug-report\"}\n2c4:[\"$2c5\",\"$2c6\",\"$2c7\",\"$2c8\"]\n2cc:{\"label\":\"Troubleshoot device connectivity\",\"numericId\":1463,\"slug\":\"troubleshoot-connectivity\",\"nodes\":\"$undefined\"}\n"])</script><script>self.__next_f.push([1,"2cb:[\"$2cc\"]\n2ca:{\"label\":\"Troubleshooting\",\"numericId\":1023,\"slug\":\"troubleshooting\",\"items\":\"$139\",\"nodes\":\"$2cb\"}\n2cd:{\"label\":\"Support options\",\"numericId\":1250,\"slug\":\"support-options\",\"nodes\":\"$undefined\"}\n2ce:{\"label\":\"Contact support ↗\",\"href\":\"/contact/support\",\"nodes\":\"$undefined\"}\n2cf:{\"label\":\"Generate a bug report\",\"numericId\":1227,\"slug\":\"bug-report\",\"nodes\":\"$undefined\"}\n2c9:[\"$2ca\",\"$2cd\",\"$2ce\",\"$2cf\"]\n2c3:{\"label\":\"Get Support\",\"numericId\":1432,\"slug\":\"get-support\",\"items\":\"$2c4\",\"nodes\":\"$2c9\"}\n2d2:{\"label\":\"Changelog ↗\",\"href\":\"/changelog\"}\n2d3:{\"label\":\"Comparisons ↗\",\"href\":\"/compare\"}\n2d4:{\"label\":\"Release stages\",\"numericId\":1167,\"slug\":\"release-stages\"}\n2d5:{\"label\":\"Security ↗\",\"href\":\"/security\"}\n2d6:{\"label\":\"Versions\",\"numericId\":1168,\"slug\":\"versions\",\"items\":\"$13b\"}\n2d7:{\"label\":\"Use cases\",\"numericId\":1377,\"slug\":\"use-cases\"}\n2d8:{\"label\":\"Invite only features\",\"numericId\":1222,\"slug\":\"invite-only-feature\"}\n2d1:[\"$2d2\",\"$2d3\",\"$2d4\",\"$2d5\",\"$2d6\",\"$2d7\",\"$2d8\"]\n2da:{\"label\":\"Changelog ↗\",\"href\":\"/changelog\",\"nodes\":\"$undefined\"}\n2db:{\"label\":\"Comparisons ↗\",\"href\":\"/compare\",\"nodes\":\"$undefined\"}\n2dc:{\"label\":\"Release stages\",\"numericId\":1167,\"slug\":\"release-stages\",\"nodes\":\"$undefined\"}\n2dd:{\"label\":\"Security ↗\",\"href\":\"/security\",\"nodes\":\"$undefined\"}\n2e0:{\"label\":\"Unstable builds\",\"numericId\":1083,\"slug\":\"install-unstable\",\"nodes\":\"$undefined\"}\n2df:[\"$2e0\"]\n2de:{\"label\":\"Versions\",\"numericId\":1168,\"slug\":\"versions\",\"items\":\"$13b\",\"nodes\":\"$2df\"}\n2e1:{\"label\":\"Use cases\",\"numericId\":1377,\"slug\":\"use-cases\",\"nodes\":\"$undefined\"}\n2e2:{\"label\":\"Invite only features\",\"numericId\":1222,\"slug\":\"invite-only-feature\",\"nodes\":\"$undefined\"}\n2d9:[\"$2da\",\"$2db\",\"$2dc\",\"$2dd\",\"$2de\",\"$2e1\",\"$2e2\"]\n2d0:{\"label\":\"Resources\",\"numericId\":1368,\"slug\":\"resources\",\"items\":\"$2d1\",\"nodes\":\"$2d9\"}\n13f:[\"$140\",\"$178\",\"$208\",\"$25b\",\"$25c\",\"$270\",\"$281\",\"$2c3\",\"$2d0\"]\n"])</script><script>self.__next_f.push([1,"b:[\"$\",\"div\",null,{\"className\":\"grid grid-cols-10 gap-x-8 pt-4 md:pt-8\",\"children\":[[\"$\",\"aside\",null,{\"className\":\"js-docHighlight col-span-10 md:col-span-3 md:row-span-2 xl:col-span-2\",\"children\":[[\"$\",\"div\",null,{\"className\":\"relative hidden h-full md:block\",\"children\":[\"$\",\"$L1a\",null,{\"routeParams\":[\"1337\",\"acl-syntax\"],\"config\":[{\"label\":\"Start\",\"slug\":\"start\",\"numericId\":1346,\"items\":[{\"label\":\"Quickstart\",\"numericId\":1017,\"slug\":\"install\"},{\"label\":\"Install Tailscale\",\"numericId\":1347,\"slug\":\"installation\",\"items\":[{\"label\":\"Download ↗\",\"href\":\"/downloads\"},{\"label\":\"Update Tailscale\",\"numericId\":1067,\"slug\":\"update\"},{\"label\":\"Uninstall Tailscale\",\"numericId\":1069,\"slug\":\"uninstall\"},{\"label\":\"Deploy with MDM\",\"numericId\":1362,\"slug\":\"mdm\",\"items\":[{\"label\":\"Customize Tailscale using system policies\",\"numericId\":1315,\"slug\":\"mdm-keys\",\"items\":[{\"label\":\"Deploy on Android\",\"numericId\":1384,\"slug\":\"android-mdm\"},{\"label\":\"Deploy on iOS/tvOS\",\"numericId\":1380,\"slug\":\"ios-mdm\"},{\"label\":\"Deploy on macOS\",\"numericId\":1286,\"slug\":\"macos-mdm\"},{\"label\":\"Deploy on Windows\",\"numericId\":1318,\"slug\":\"windows-mdm\"}]},{\"label\":\"MDM integration partners\",\"numericId\":1448,\"slug\":\"mdm-integration-partners\",\"items\":[{\"label\":\"Google Workspace\",\"numericId\":1386,\"slug\":\"mdm-google-workspace\"},{\"label\":\"Jamf\",\"numericId\":1328,\"slug\":\"mdm-jamf\"},{\"label\":\"JumpCloud\",\"numericId\":1485,\"slug\":\"mdm-jumpcloud\"},{\"label\":\"Kandji\",\"numericId\":1329,\"slug\":\"mdm-kandji\"},{\"label\":\"Microsoft Intune\",\"numericId\":1327,\"slug\":\"mdm-microsoft-intune\"},{\"label\":\"SimpleMDM\",\"numericId\":1330,\"slug\":\"mdm-simplemdm\"},{\"label\":\"TinyMDM\",\"numericId\":1385,\"slug\":\"mdm-tinymdm\"}]}]}]},{\"label\":\"Quick guides\",\"numericId\":1415,\"slug\":\"quick-guides\",\"items\":[{\"label\":\"Use exit nodes\",\"numericId\":1408,\"slug\":\"quick-guide-exit-node\"},{\"label\":\"Configure a subnet router\",\"numericId\":1406,\"slug\":\"quick-guide-subnets\"},{\"label\":\"Host a website\",\"numericId\":1310,\"slug\":\"quick-guide-host-websites\"},{\"label\":\"Install on AWS\",\"numericId\":1449,\"slug\":\"quick-guide-aws\"},{\"label\":\"SSH into a Linux virtual machine\",\"numericId\":1308,\"slug\":\"quick-guide-ssh-linux-vm\"},{\"label\":\"Access a virtual private cloud (VPC)\",\"numericId\":1309,\"slug\":\"quick-guide-access-vpc\"},{\"label\":\"Add a Docker container\",\"numericId\":1453,\"slug\":\"quick-guide-docker\"}]},{\"label\":\"Set up an identity provider\",\"numericId\":1013,\"slug\":\"sso-providers\",\"items\":[{\"label\":\"Google\",\"numericId\":1199,\"slug\":\"sso-google\"},{\"label\":\"Microsoft Entra ID\",\"numericId\":1285,\"slug\":\"sso-microsoft\"},{\"label\":\"Okta\",\"numericId\":1066,\"slug\":\"sso-okta\"},{\"label\":\"GitHub\",\"numericId\":1284,\"slug\":\"sso-github\"},{\"label\":\"Apple\",\"numericId\":1283,\"slug\":\"sso-apple\"},{\"label\":\"OneLogin\",\"numericId\":1070,\"slug\":\"sso-onelogin\"},{\"label\":\"User \u0026 group provisioning\",\"numericId\":1290,\"slug\":\"user-group-provisioning\",\"items\":[{\"label\":\"Google Workspace\",\"numericId\":1317,\"slug\":\"sso-google-sync\"},{\"label\":\"Microsoft Entra ID\",\"numericId\":1249,\"slug\":\"sso-entra-id-scim\"},{\"label\":\"Okta\",\"numericId\":1180,\"slug\":\"sso-okta-scim\"}]},{\"label\":\"Custom OIDC providers\",\"numericId\":1240,\"slug\":\"sso-custom-oidc\"},{\"label\":\"Enable 2FA and MFA\",\"numericId\":1075,\"slug\":\"multifactor-auth\"}]},{\"label\":\"What is Tailscale?\",\"numericId\":1151,\"slug\":\"what-is-tailscale\"}],\"nodes\":[{\"label\":\"Quickstart\",\"numericId\":1017,\"slug\":\"install\",\"nodes\":\"$undefined\"},{\"label\":\"Install Tailscale\",\"numericId\":1347,\"slug\":\"installation\",\"items\":\"$1b\",\"nodes\":[{\"label\":\"Download ↗\",\"href\":\"/downloads\",\"nodes\":\"$undefined\"},{\"label\":\"Update Tailscale\",\"numericId\":1067,\"slug\":\"update\",\"nodes\":\"$undefined\"},{\"label\":\"Uninstall Tailscale\",\"numericId\":1069,\"slug\":\"uninstall\",\"nodes\":\"$undefined\"},{\"label\":\"Deploy with MDM\",\"numericId\":1362,\"slug\":\"mdm\",\"items\":\"$20\",\"nodes\":[{\"label\":\"Customize Tailscale using system policies\",\"numericId\":1315,\"slug\":\"mdm-keys\",\"items\":\"$22\",\"nodes\":[{\"label\":\"Deploy on Android\",\"numericId\":1384,\"slug\":\"android-mdm\",\"nodes\":\"$undefined\"},{\"label\":\"Deploy on iOS/tvOS\",\"numericId\":1380,\"slug\":\"ios-mdm\",\"nodes\":\"$undefined\"},{\"label\":\"Deploy on macOS\",\"numericId\":1286,\"slug\":\"macos-mdm\",\"nodes\":\"$undefined\"},{\"label\":\"Deploy on Windows\",\"numericId\":1318,\"slug\":\"windows-mdm\",\"nodes\":\"$undefined\"}]},{\"label\":\"MDM integration partners\",\"numericId\":1448,\"slug\":\"mdm-integration-partners\",\"items\":\"$28\",\"nodes\":[{\"label\":\"Google Workspace\",\"numericId\":1386,\"slug\":\"mdm-google-workspace\",\"nodes\":\"$undefined\"},{\"label\":\"Jamf\",\"numericId\":1328,\"slug\":\"mdm-jamf\",\"nodes\":\"$undefined\"},{\"label\":\"JumpCloud\",\"numericId\":1485,\"slug\":\"mdm-jumpcloud\",\"nodes\":\"$undefined\"},{\"label\":\"Kandji\",\"numericId\":1329,\"slug\":\"mdm-kandji\",\"nodes\":\"$undefined\"},{\"label\":\"Microsoft Intune\",\"numericId\":1327,\"slug\":\"mdm-microsoft-intune\",\"nodes\":\"$undefined\"},{\"label\":\"SimpleMDM\",\"numericId\":1330,\"slug\":\"mdm-simplemdm\",\"nodes\":\"$undefined\"},{\"label\":\"TinyMDM\",\"numericId\":1385,\"slug\":\"mdm-tinymdm\",\"nodes\":\"$undefined\"}]}]}]},{\"label\":\"Quick guides\",\"numericId\":1415,\"slug\":\"quick-guides\",\"items\":\"$30\",\"nodes\":[{\"label\":\"Use exit nodes\",\"numericId\":1408,\"slug\":\"quick-guide-exit-node\",\"nodes\":\"$undefined\"},{\"label\":\"Configure a subnet router\",\"numericId\":1406,\"slug\":\"quick-guide-subnets\",\"nodes\":\"$undefined\"},{\"label\":\"Host a website\",\"numericId\":1310,\"slug\":\"quick-guide-host-websites\",\"nodes\":\"$undefined\"},{\"label\":\"Install on AWS\",\"numericId\":1449,\"slug\":\"quick-guide-aws\",\"nodes\":\"$undefined\"},{\"label\":\"SSH into a Linux virtual machine\",\"numericId\":1308,\"slug\":\"quick-guide-ssh-linux-vm\",\"nodes\":\"$undefined\"},{\"label\":\"Access a virtual private cloud (VPC)\",\"numericId\":1309,\"slug\":\"quick-guide-access-vpc\",\"nodes\":\"$undefined\"},{\"label\":\"Add a Docker container\",\"numericId\":1453,\"slug\":\"quick-guide-docker\",\"nodes\":\"$undefined\"}]},{\"label\":\"Set up an identity provider\",\"numericId\":1013,\"slug\":\"sso-providers\",\"items\":\"$38\",\"nodes\":[{\"label\":\"Google\",\"numericId\":1199,\"slug\":\"sso-google\",\"nodes\":\"$undefined\"},{\"label\":\"Microsoft Entra ID\",\"numericId\":1285,\"slug\":\"sso-microsoft\",\"nodes\":\"$undefined\"},{\"label\":\"Okta\",\"numericId\":1066,\"slug\":\"sso-okta\",\"nodes\":\"$undefined\"},{\"label\":\"GitHub\",\"numericId\":1284,\"slug\":\"sso-github\",\"nodes\":\"$undefined\"},{\"label\":\"Apple\",\"numericId\":1283,\"slug\":\"sso-apple\",\"nodes\":\"$undefined\"},{\"label\":\"OneLogin\",\"numericId\":1070,\"slug\":\"sso-onelogin\",\"nodes\":\"$undefined\"},{\"label\":\"User \u0026 group provisioning\",\"numericId\":1290,\"slug\":\"user-group-provisioning\",\"items\":\"$40\",\"nodes\":[{\"label\":\"Google Workspace\",\"numericId\":1317,\"slug\":\"sso-google-sync\",\"nodes\":\"$undefined\"},{\"label\":\"Microsoft Entra ID\",\"numericId\":1249,\"slug\":\"sso-entra-id-scim\",\"nodes\":\"$undefined\"},{\"label\":\"Okta\",\"numericId\":1180,\"slug\":\"sso-okta-scim\",\"nodes\":\"$undefined\"}]},{\"label\":\"Custom OIDC providers\",\"numericId\":1240,\"slug\":\"sso-custom-oidc\",\"nodes\":\"$undefined\"},{\"label\":\"Enable 2FA and MFA\",\"numericId\":1075,\"slug\":\"multifactor-auth\",\"nodes\":\"$undefined\"}]},{\"label\":\"What is Tailscale?\",\"numericId\":1151,\"slug\":\"what-is-tailscale\",\"nodes\":\"$undefined\"}]},{\"label\":\"How-to Guides\",\"numericId\":1348,\"slug\":\"guides\",\"items\":[{\"label\":\"Manage Access\",\"group\":true,\"numericId\":1350,\"slug\":\"manage\",\"items\":[{\"label\":\"Manage access control\",\"numericId\":1393,\"slug\":\"access-control\",\"items\":[{\"label\":\"Manage ACLs\",\"numericId\":1018,\"slug\":\"acls\",\"items\":[{\"label\":\"ACL syntax\",\"numericId\":1337,\"slug\":\"acl-syntax\"}]},{\"label\":\"Manage grants\",\"numericId\":1324,\"slug\":\"acl-grants\"},{\"label\":\"Edit the tailnet policy file\",\"numericId\":1338,\"slug\":\"acl-edit\"},{\"label\":\"Manage ACLs with GitOps\",\"numericId\":1204,\"slug\":\"gitopcs-acls\",\"items\":[{\"label\":\"Manage ACLs with Bitbucket\",\"numericId\":1302,\"slug\":\"gitops-acls-bitbucket\"},{\"label\":\"Manage ACLs with GitHub\",\"numericId\":1306,\"slug\":\"gitops-acls-github\"},{\"label\":\"Manage ACLs with GitLab\",\"numericId\":1254,\"slug\":\"gitops-acls-gitlab\"}]}]},{\"label\":\"Manage Just-in-time access\",\"numericId\":1443,\"slug\":\"just-in-time-access\",\"items\":[{\"label\":\"Device posture for JIT access\",\"numericId\":1383,\"slug\":\"device-posture-for-jit\"},{\"label\":\"3rd party JIT access integrations\",\"numericId\":1374,\"slug\":\"jit-access-integrations\",\"items\":[{\"label\":\"ConductorOne\",\"numericId\":1208,\"slug\":\"jit-access-conductorone\"},{\"label\":\"Opal\",\"numericId\":1209,\"slug\":\"jit-access-opal\"},{\"label\":\"Sym\",\"numericId\":1206,\"slug\":\"jit-access-sym\"}]}]},{\"label\":\"Manage devices\",\"numericId\":1372,\"slug\":\"manage-devices\",\"items\":[{\"label\":\"Add a device\",\"numericId\":1316,\"slug\":\"device-add\"},{\"label\":\"Device approval\",\"numericId\":1099,\"slug\":\"device-approval\"},{\"label\":\"Rename a device\",\"numericId\":1098,\"slug\":\"machine-names\"},{\"label\":\"Remove a device\",\"numericId\":1260,\"slug\":\"device-remove\"},{\"label\":\"Device posture management\",\"numericId\":1288,\"slug\":\"device-posture\",\"items\":[{\"label\":\"Use Device Identity Collection\",\"numericId\":1326,\"slug\":\"device-identity\"},{\"label\":\"CrowdStrike Falcon\",\"numericId\":1289,\"slug\":\"crowdstrike-zta\"},{\"label\":\"SentinelOne\",\"numericId\":1390,\"slug\":\"sentinelone\"},{\"label\":\"1Password XAM\",\"numericId\":1407,\"slug\":\"kolide\"},{\"label\":\"Jamf Pro\",\"numericId\":1409,\"slug\":\"jamf-pro\"},{\"label\":\"Microsoft Intune\",\"numericId\":1410,\"slug\":\"intune\"},{\"label\":\"Kandji\",\"numericId\":1405,\"slug\":\"kandji\"}]},{\"label\":\"Filter devices\",\"numericId\":1176,\"slug\":\"filter-devices\"},{\"label\":\"Export list of devices\",\"numericId\":1228,\"slug\":\"export-device-list\"},{\"label\":\"Use the web interface\",\"numericId\":1325,\"slug\":\"device-web-interface\"},{\"label\":\"Add a device using a QR code\",\"numericId\":1336,\"slug\":\"device-add-qr-code\"}]},{\"label\":\"Manage users\",\"numericId\":1373,\"slug\":\"manage-users\",\"items\":[{\"label\":\"Invite users\",\"items\":[{\"label\":\"Invite team members\",\"numericId\":1064,\"slug\":\"invite-team-members\"},{\"label\":\"Invite any user\",\"numericId\":1271,\"slug\":\"invite-any-user\"},{\"label\":\"Use passkeys\",\"numericId\":1269,\"slug\":\"passkeys\"}],\"numericId\":1371,\"slug\":\"invite-users\"},{\"label\":\"User approval\",\"numericId\":1239,\"slug\":\"user-approval\"},{\"label\":\"User roles\",\"numericId\":1138,\"slug\":\"user-roles\"},{\"label\":\"Change user roles\",\"numericId\":1171,\"slug\":\"changing-user-roles\"},{\"label\":\"Remove users\",\"numericId\":1145,\"slug\":\"remove-team-members\"},{\"label\":\"Fast user switching\",\"numericId\":1225,\"slug\":\"fast-user-switching\"},{\"label\":\"Export list of users\",\"numericId\":1229,\"slug\":\"export-user-list\"},{\"label\":\"Offboard users\",\"numericId\":1248,\"slug\":\"offboarding-users\"},{\"label\":\"Admin console session timeout\",\"numericId\":1461,\"slug\":\"admin-console-session-timeout\"}]},{\"label\":\"Tailnet lock\",\"numericId\":1226,\"slug\":\"tailnet-lock\"}]},{\"label\":\"Route Traffic\",\"group\":true,\"numericId\":1351,\"slug\":\"route\",\"items\":[{\"label\":\"Set up a subnet router\",\"numericId\":1019,\"slug\":\"subnets\",\"items\":[{\"label\":\"Subnet router BGP advertisement\",\"numericId\":1298,\"slug\":\"subnet-bgp\"},{\"label\":\"4via6 subnet routers\",\"numericId\":1201,\"slug\":\"4via6-subnets\"},{\"label\":\"Site-to-site networking\",\"numericId\":1214,\"slug\":\"site-to-site\"}]},{\"label\":\"Set up an exit node\",\"numericId\":1103,\"slug\":\"exit-nodes\",\"items\":[{\"label\":\"Use a Mullvad exit node\",\"numericId\":1258,\"slug\":\"mullvad-exit-nodes\"},{\"label\":\"Recommended exit nodes\",\"numericId\":1392,\"slug\":\"auto-exit-nodes\"},{\"label\":\"Mandatory exit nodes\",\"numericId\":1413,\"slug\":\"mandatory-exit-nodes\"}]},{\"label\":\"Set up an app connector\",\"numericId\":1281,\"slug\":\"app-connectors\",\"items\":[{\"label\":\"How app connectors work\",\"numericId\":1342,\"slug\":\"how-app-connectors-work\"},{\"label\":\"Best practices for SaaS apps\",\"numericId\":1332,\"slug\":\"apps-best-practices\"},{\"label\":\"Use preset apps\",\"numericId\":1339,\"slug\":\"preset-apps\"}]},{\"label\":\"Use DNS\",\"numericId\":1054,\"slug\":\"dns\",\"items\":[{\"label\":\"Configure Linux DNS\",\"numericId\":1188,\"slug\":\"linux-dns\"},{\"label\":\"Why is resolv.conf being overwritten?\",\"numericId\":1235,\"slug\":\"resolv-conf\"},{\"label\":\"Use NextDNS\",\"numericId\":1218,\"slug\":\"nextdns\"},{\"label\":\"Use Control D\",\"numericId\":1403,\"slug\":\"control-d\"},{\"label\":\"Use Unbound DNS in OPNsense\",\"numericId\":1299,\"slug\":\"opnsense-unbound\"}]},{\"label\":\"Set up MagicDNS\",\"numericId\":1081,\"slug\":\"magicdns\"},{\"label\":\"Set up high availability\",\"numericId\":1115,\"slug\":\"high-availability\"}]},{\"label\":\"Set Up Servers\",\"group\":true,\"numericId\":1352,\"slug\":\"servers\",\"items\":[{\"label\":\"Set up a server\",\"numericId\":1245,\"slug\":\"set-up-servers\"},{\"label\":\"Use tags\",\"numericId\":1068,\"slug\":\"tags\"},{\"label\":\"Install Tailscale with cloud-init\",\"numericId\":1293,\"slug\":\"cloud-init\"},{\"label\":\"Use auth keys\",\"numericId\":1085,\"slug\":\"auth-keys\",\"items\":[{\"label\":\"Automate key expiry\",\"numericId\":1028,\"slug\":\"key-expiry\"}]},{\"label\":\"Use Tailscale SSH\",\"numericId\":1193,\"slug\":\"tailscale-ssh\",\"items\":[{\"label\":\"Use Tailscale SSH Console\",\"numericId\":1216,\"slug\":\"tailscale-ssh-console\"}]},{\"label\":\"Set up HTTPS certificates\",\"numericId\":1153,\"slug\":\"enabling-https\"},{\"label\":\"Run an ephemeral node\",\"numericId\":1111,\"slug\":\"ephemeral-nodes\"},{\"label\":\"Run unattended\",\"numericId\":1088,\"slug\":\"run-unattended\"}]},{\"label\":\"Access \u0026 Share Services\",\"group\":true,\"numericId\":1354,\"slug\":\"share\",\"items\":[{\"label\":\"View services\",\"numericId\":1100,\"slug\":\"services\"},{\"label\":\"Share nodes\",\"numericId\":1084,\"slug\":\"sharing\"},{\"label\":\"Use Taildrop\",\"numericId\":1106,\"slug\":\"taildrop\",\"items\":[{\"label\":\"Taildrop with NAS\",\"numericId\":1418,\"slug\":\"taildrop-nas\"}]}]},{\"label\":\"Share a web server\",\"group\":true,\"numericId\":1353,\"slug\":\"share-web-server\",\"items\":[{\"label\":\"Tailscale Funnel\",\"numericId\":1223,\"slug\":\"funnel\",\"items\":[{\"label\":\"Examples\",\"numericId\":1247,\"slug\":\"funnel-examples\"},{\"label\":\"Funnel vs. sharing\",\"numericId\":1464,\"slug\":\"funnel-vs-sharing\"}]},{\"label\":\"Tailscale Serve\",\"numericId\":1312,\"slug\":\"serve\",\"items\":[{\"label\":\"Examples\",\"numericId\":1313,\"slug\":\"serve-examples\"}]}]},{\"label\":\"Solutions\",\"group\":true,\"numericId\":1355,\"slug\":\"solutions\",\"items\":[{\"label\":\"Code from your iPad\",\"numericId\":1166,\"slug\":\"vscode-ipad\"},{\"label\":\"Lock down a server\",\"numericId\":1077,\"slug\":\"secure-server-ubuntu\"},{\"label\":\"Access a PiKVM\",\"numericId\":1292,\"slug\":\"pikvm\"},{\"label\":\"Run a Pi-hole\",\"numericId\":1114,\"slug\":\"pi-hole\"},{\"label\":\"Secure external services\",\"numericId\":1059,\"slug\":\"ip-blocklist-relays\"},{\"label\":\"Just-in-time access\",\"numericId\":1443,\"slug\":\"just-in-time-access\",\"items\":[{\"label\":\"Device posture for JIT access\",\"numericId\":1383,\"slug\":\"device-posture-for-jit\"},{\"label\":\"3rd party JIT access integrations\",\"numericId\":1374,\"slug\":\"jit-access-integrations\",\"items\":[{\"label\":\"ConductorOne\",\"numericId\":1208,\"slug\":\"jit-access-conductorone\"},{\"label\":\"Opal\",\"numericId\":1209,\"slug\":\"jit-access-opal\"},{\"label\":\"Sym\",\"numericId\":1206,\"slug\":\"jit-access-sym\"}]}]},{\"label\":\"Automation\",\"numericId\":1430,\"slug\":\"automations\",\"items\":[{\"label\":\"Infrastructure as code\",\"numericId\":1370,\"slug\":\"infrastructure-as-code\",\"items\":[{\"label\":\"Terraform\",\"numericId\":1210,\"slug\":\"terraform-provider\"},{\"label\":\"Pulumi\",\"numericId\":1211,\"slug\":\"pulumi-provider\"}]},{\"label\":\"macOS and iOS shortcuts\",\"numericId\":1233,\"slug\":\"mac-ios-shortcuts\"}]}]}],\"nodes\":[{\"label\":\"Manage Access\",\"group\":true,\"numericId\":1350,\"slug\":\"manage\",\"items\":\"$46\",\"nodes\":[{\"label\":\"Manage access control\",\"numericId\":1393,\"slug\":\"access-control\",\"items\":\"$48\",\"nodes\":[{\"label\":\"Manage ACLs\",\"numericId\":1018,\"slug\":\"acls\",\"items\":\"$4a\",\"nodes\":[{\"label\":\"ACL syntax\",\"numericId\":1337,\"slug\":\"acl-syntax\",\"nodes\":\"$undefined\"}]},{\"label\":\"Manage grants\",\"numericId\":1324,\"slug\":\"acl-grants\",\"nodes\":\"$undefined\"},{\"label\":\"Edit the tailnet policy file\",\"numericId\":1338,\"slug\":\"acl-edit\",\"nodes\":\"$undefined\"},{\"label\":\"Manage ACLs with GitOps\",\"numericId\":1204,\"slug\":\"gitopcs-acls\",\"items\":\"$4f\",\"nodes\":[{\"label\":\"Manage ACLs with Bitbucket\",\"numericId\":1302,\"slug\":\"gitops-acls-bitbucket\",\"nodes\":\"$undefined\"},{\"label\":\"Manage ACLs with GitHub\",\"numericId\":1306,\"slug\":\"gitops-acls-github\",\"nodes\":\"$undefined\"},{\"label\":\"Manage ACLs with GitLab\",\"numericId\":1254,\"slug\":\"gitops-acls-gitlab\",\"nodes\":\"$undefined\"}]}]},{\"label\":\"Manage Just-in-time access\",\"numericId\":1443,\"slug\":\"just-in-time-access\",\"items\":\"$54\",\"nodes\":[{\"label\":\"Device posture for JIT access\",\"numericId\":1383,\"slug\":\"device-posture-for-jit\",\"nodes\":\"$undefined\"},{\"label\":\"3rd party JIT access integrations\",\"numericId\":1374,\"slug\":\"jit-access-integrations\",\"items\":\"$57\",\"nodes\":[{\"label\":\"ConductorOne\",\"numericId\":1208,\"slug\":\"jit-access-conductorone\",\"nodes\":\"$undefined\"},{\"label\":\"Opal\",\"numericId\":1209,\"slug\":\"jit-access-opal\",\"nodes\":\"$undefined\"},{\"label\":\"Sym\",\"numericId\":1206,\"slug\":\"jit-access-sym\",\"nodes\":\"$undefined\"}]}]},{\"label\":\"Manage devices\",\"numericId\":1372,\"slug\":\"manage-devices\",\"items\":\"$5c\",\"nodes\":[{\"label\":\"Add a device\",\"numericId\":1316,\"slug\":\"device-add\",\"nodes\":\"$undefined\"},{\"label\":\"Device approval\",\"numericId\":1099,\"slug\":\"device-approval\",\"nodes\":\"$undefined\"},{\"label\":\"Rename a device\",\"numericId\":1098,\"slug\":\"machine-names\",\"nodes\":\"$undefined\"},{\"label\":\"Remove a device\",\"numericId\":1260,\"slug\":\"device-remove\",\"nodes\":\"$undefined\"},{\"label\":\"Device posture management\",\"numericId\":1288,\"slug\":\"device-posture\",\"items\":\"$62\",\"nodes\":[{\"label\":\"Use Device Identity Collection\",\"numericId\":1326,\"slug\":\"device-identity\",\"nodes\":\"$undefined\"},{\"label\":\"CrowdStrike Falcon\",\"numericId\":1289,\"slug\":\"crowdstrike-zta\",\"nodes\":\"$undefined\"},{\"label\":\"SentinelOne\",\"numericId\":1390,\"slug\":\"sentinelone\",\"nodes\":\"$undefined\"},{\"label\":\"1Password XAM\",\"numericId\":1407,\"slug\":\"kolide\",\"nodes\":\"$undefined\"},{\"label\":\"Jamf Pro\",\"numericId\":1409,\"slug\":\"jamf-pro\",\"nodes\":\"$undefined\"},{\"label\":\"Microsoft Intune\",\"numericId\":1410,\"slug\":\"intune\",\"nodes\":\"$undefined\"},{\"label\":\"Kandji\",\"numericId\":1405,\"slug\":\"kandji\",\"nodes\":\"$undefined\"}]},{\"label\":\"Filter devices\",\"numericId\":1176,\"slug\":\"filter-devices\",\"nodes\":\"$undefined\"},{\"label\":\"Export list of devices\",\"numericId\":1228,\"slug\":\"export-device-list\",\"nodes\":\"$undefined\"},{\"label\":\"Use the web interface\",\"numericId\":1325,\"slug\":\"device-web-interface\",\"nodes\":\"$undefined\"},{\"label\":\"Add a device using a QR code\",\"numericId\":1336,\"slug\":\"device-add-qr-code\",\"nodes\":\"$undefined\"}]},{\"label\":\"Manage users\",\"numericId\":1373,\"slug\":\"manage-users\",\"items\":\"$6f\",\"nodes\":[{\"label\":\"Invite users\",\"items\":\"$71\",\"numericId\":1371,\"slug\":\"invite-users\",\"nodes\":[{\"label\":\"Invite team members\",\"numericId\":1064,\"slug\":\"invite-team-members\",\"nodes\":\"$undefined\"},{\"label\":\"Invite any user\",\"numericId\":1271,\"slug\":\"invite-any-user\",\"nodes\":\"$undefined\"},{\"label\":\"Use passkeys\",\"numericId\":1269,\"slug\":\"passkeys\",\"nodes\":\"$undefined\"}]},{\"label\":\"User approval\",\"numericId\":1239,\"slug\":\"user-approval\",\"nodes\":\"$undefined\"},{\"label\":\"User roles\",\"numericId\":1138,\"slug\":\"user-roles\",\"nodes\":\"$undefined\"},{\"label\":\"Change user roles\",\"numericId\":1171,\"slug\":\"changing-user-roles\",\"nodes\":\"$undefined\"},{\"label\":\"Remove users\",\"numericId\":1145,\"slug\":\"remove-team-members\",\"nodes\":\"$undefined\"},{\"label\":\"Fast user switching\",\"numericId\":1225,\"slug\":\"fast-user-switching\",\"nodes\":\"$undefined\"},{\"label\":\"Export list of users\",\"numericId\":1229,\"slug\":\"export-user-list\",\"nodes\":\"$undefined\"},{\"label\":\"Offboard users\",\"numericId\":1248,\"slug\":\"offboarding-users\",\"nodes\":\"$undefined\"},{\"label\":\"Admin console session timeout\",\"numericId\":1461,\"slug\":\"admin-console-session-timeout\",\"nodes\":\"$undefined\"}]},{\"label\":\"Tailnet lock\",\"numericId\":1226,\"slug\":\"tailnet-lock\",\"nodes\":\"$undefined\"}]},{\"label\":\"Route Traffic\",\"group\":true,\"numericId\":1351,\"slug\":\"route\",\"items\":\"$7e\",\"nodes\":[{\"label\":\"Set up a subnet router\",\"numericId\":1019,\"slug\":\"subnets\",\"items\":\"$80\",\"nodes\":[{\"label\":\"Subnet router BGP advertisement\",\"numericId\":1298,\"slug\":\"subnet-bgp\",\"nodes\":\"$undefined\"},{\"label\":\"4via6 subnet routers\",\"numericId\":1201,\"slug\":\"4via6-subnets\",\"nodes\":\"$undefined\"},{\"label\":\"Site-to-site networking\",\"numericId\":1214,\"slug\":\"site-to-site\",\"nodes\":\"$undefined\"}]},{\"label\":\"Set up an exit node\",\"numericId\":1103,\"slug\":\"exit-nodes\",\"items\":\"$85\",\"nodes\":[{\"label\":\"Use a Mullvad exit node\",\"numericId\":1258,\"slug\":\"mullvad-exit-nodes\",\"nodes\":\"$undefined\"},{\"label\":\"Recommended exit nodes\",\"numericId\":1392,\"slug\":\"auto-exit-nodes\",\"nodes\":\"$undefined\"},{\"label\":\"Mandatory exit nodes\",\"numericId\":1413,\"slug\":\"mandatory-exit-nodes\",\"nodes\":\"$undefined\"}]},{\"label\":\"Set up an app connector\",\"numericId\":1281,\"slug\":\"app-connectors\",\"items\":\"$8a\",\"nodes\":[{\"label\":\"How app connectors work\",\"numericId\":1342,\"slug\":\"how-app-connectors-work\",\"nodes\":\"$undefined\"},{\"label\":\"Best practices for SaaS apps\",\"numericId\":1332,\"slug\":\"apps-best-practices\",\"nodes\":\"$undefined\"},{\"label\":\"Use preset apps\",\"numericId\":1339,\"slug\":\"preset-apps\",\"nodes\":\"$undefined\"}]},{\"label\":\"Use DNS\",\"numericId\":1054,\"slug\":\"dns\",\"items\":\"$8f\",\"nodes\":[{\"label\":\"Configure Linux DNS\",\"numericId\":1188,\"slug\":\"linux-dns\",\"nodes\":\"$undefined\"},{\"label\":\"Why is resolv.conf being overwritten?\",\"numericId\":1235,\"slug\":\"resolv-conf\",\"nodes\":\"$undefined\"},{\"label\":\"Use NextDNS\",\"numericId\":1218,\"slug\":\"nextdns\",\"nodes\":\"$undefined\"},{\"label\":\"Use Control D\",\"numericId\":1403,\"slug\":\"control-d\",\"nodes\":\"$undefined\"},{\"label\":\"Use Unbound DNS in OPNsense\",\"numericId\":1299,\"slug\":\"opnsense-unbound\",\"nodes\":\"$undefined\"}]},{\"label\":\"Set up MagicDNS\",\"numericId\":1081,\"slug\":\"magicdns\",\"nodes\":\"$undefined\"},{\"label\":\"Set up high availability\",\"numericId\":1115,\"slug\":\"high-availability\",\"nodes\":\"$undefined\"}]},{\"label\":\"Set Up Servers\",\"group\":true,\"numericId\":1352,\"slug\":\"servers\",\"items\":\"$97\",\"nodes\":[{\"label\":\"Set up a server\",\"numericId\":1245,\"slug\":\"set-up-servers\",\"nodes\":\"$undefined\"},{\"label\":\"Use tags\",\"numericId\":1068,\"slug\":\"tags\",\"nodes\":\"$undefined\"},{\"label\":\"Install Tailscale with cloud-init\",\"numericId\":1293,\"slug\":\"cloud-init\",\"nodes\":\"$undefined\"},{\"label\":\"Use auth keys\",\"numericId\":1085,\"slug\":\"auth-keys\",\"items\":\"$9c\",\"nodes\":[{\"label\":\"Automate key expiry\",\"numericId\":1028,\"slug\":\"key-expiry\",\"nodes\":\"$undefined\"}]},{\"label\":\"Use Tailscale SSH\",\"numericId\":1193,\"slug\":\"tailscale-ssh\",\"items\":\"$9f\",\"nodes\":[{\"label\":\"Use Tailscale SSH Console\",\"numericId\":1216,\"slug\":\"tailscale-ssh-console\",\"nodes\":\"$undefined\"}]},{\"label\":\"Set up HTTPS certificates\",\"numericId\":1153,\"slug\":\"enabling-https\",\"nodes\":\"$undefined\"},{\"label\":\"Run an ephemeral node\",\"numericId\":1111,\"slug\":\"ephemeral-nodes\",\"nodes\":\"$undefined\"},{\"label\":\"Run unattended\",\"numericId\":1088,\"slug\":\"run-unattended\",\"nodes\":\"$undefined\"}]},{\"label\":\"Access \u0026 Share Services\",\"group\":true,\"numericId\":1354,\"slug\":\"share\",\"items\":\"$a4\",\"nodes\":[{\"label\":\"View services\",\"numericId\":1100,\"slug\":\"services\",\"nodes\":\"$undefined\"},{\"label\":\"Share nodes\",\"numericId\":1084,\"slug\":\"sharing\",\"nodes\":\"$undefined\"},{\"label\":\"Use Taildrop\",\"numericId\":1106,\"slug\":\"taildrop\",\"items\":\"$a8\",\"nodes\":[{\"label\":\"Taildrop with NAS\",\"numericId\":1418,\"slug\":\"taildrop-nas\",\"nodes\":\"$undefined\"}]}]},{\"label\":\"Share a web server\",\"group\":true,\"numericId\":1353,\"slug\":\"share-web-server\",\"items\":\"$aa\",\"nodes\":[{\"label\":\"Tailscale Funnel\",\"numericId\":1223,\"slug\":\"funnel\",\"items\":\"$ac\",\"nodes\":[{\"label\":\"Examples\",\"numericId\":1247,\"slug\":\"funnel-examples\",\"nodes\":\"$undefined\"},{\"label\":\"Funnel vs. sharing\",\"numericId\":1464,\"slug\":\"funnel-vs-sharing\",\"nodes\":\"$undefined\"}]},{\"label\":\"Tailscale Serve\",\"numericId\":1312,\"slug\":\"serve\",\"items\":\"$b0\",\"nodes\":[{\"label\":\"Examples\",\"numericId\":1313,\"slug\":\"serve-examples\",\"nodes\":\"$undefined\"}]}]},{\"label\":\"Solutions\",\"group\":true,\"numericId\":1355,\"slug\":\"solutions\",\"items\":\"$b2\",\"nodes\":[{\"label\":\"Code from your iPad\",\"numericId\":1166,\"slug\":\"vscode-ipad\",\"nodes\":\"$undefined\"},{\"label\":\"Lock down a server\",\"numericId\":1077,\"slug\":\"secure-server-ubuntu\",\"nodes\":\"$undefined\"},{\"label\":\"Access a PiKVM\",\"numericId\":1292,\"slug\":\"pikvm\",\"nodes\":\"$undefined\"},{\"label\":\"Run a Pi-hole\",\"numericId\":1114,\"slug\":\"pi-hole\",\"nodes\":\"$undefined\"},{\"label\":\"Secure external services\",\"numericId\":1059,\"slug\":\"ip-blocklist-relays\",\"nodes\":\"$undefined\"},{\"label\":\"Just-in-time access\",\"numericId\":1443,\"slug\":\"just-in-time-access\",\"items\":\"$b9\",\"nodes\":[{\"label\":\"Device posture for JIT access\",\"numericId\":1383,\"slug\":\"device-posture-for-jit\",\"nodes\":\"$undefined\"},{\"label\":\"3rd party JIT access integrations\",\"numericId\":1374,\"slug\":\"jit-access-integrations\",\"items\":\"$bc\",\"nodes\":[{\"label\":\"ConductorOne\",\"numericId\":1208,\"slug\":\"jit-access-conductorone\",\"nodes\":\"$undefined\"},{\"label\":\"Opal\",\"numericId\":1209,\"slug\":\"jit-access-opal\",\"nodes\":\"$undefined\"},{\"label\":\"Sym\",\"numericId\":1206,\"slug\":\"jit-access-sym\",\"nodes\":\"$undefined\"}]}]},{\"label\":\"Automation\",\"numericId\":1430,\"slug\":\"automations\",\"items\":\"$c1\",\"nodes\":[{\"label\":\"Infrastructure as code\",\"numericId\":1370,\"slug\":\"infrastructure-as-code\",\"items\":\"$c3\",\"nodes\":[{\"label\":\"Terraform\",\"numericId\":1210,\"slug\":\"terraform-provider\",\"nodes\":\"$undefined\"},{\"label\":\"Pulumi\",\"numericId\":1211,\"slug\":\"pulumi-provider\",\"nodes\":\"$undefined\"}]},{\"label\":\"macOS and iOS shortcuts\",\"numericId\":1233,\"slug\":\"mac-ios-shortcuts\",\"nodes\":\"$undefined\"}]}]}]},{\"label\":\"Integrations\",\"numericId\":1356,\"items\":[{\"label\":\"Cloud servers\",\"numericId\":\"integrations\",\"slug\":\"cloud-server\",\"items\":[{\"label\":\"AWS Lightsail\",\"numericId\":1128,\"slug\":\"aws-lightsail\"},{\"label\":\"AWS VPC\",\"numericId\":1021,\"slug\":\"install-aws\"},{\"label\":\"Azure App Service\",\"numericId\":1126,\"slug\":\"azure-app-service\"},{\"label\":\"Azure Linux VMs\",\"numericId\":1142,\"slug\":\"cloud-azure-linux\"},{\"label\":\"Azure Windows VMs\",\"numericId\":1143,\"slug\":\"cloud-azure-windows\"},{\"label\":\"Google Compute Engine VMs\",\"numericId\":1147,\"slug\":\"cloud-gce\"},{\"label\":\"Hetzner VMs\",\"numericId\":1150,\"slug\":\"cloud-hetzner\"},{\"label\":\"Oracle Cloud VMs\",\"numericId\":1149,\"slug\":\"cloud-oracle\"}]},{\"label\":\"Containers and virtualization\",\"numericId\":1358,\"slug\":\"containers-and-virtualization\",\"items\":[{\"label\":\"Docker\",\"numericId\":1282,\"slug\":\"docker\"},{\"label\":\"Kubernetes\",\"items\":[{\"label\":\"Kubernetes operator\",\"numericId\":1236,\"slug\":\"kubernetes-operator\",\"items\":[{\"label\":\"API server proxy\",\"numericId\":1437,\"slug\":\"kubernetes-operator-api-server-proxy\"},{\"label\":\"Egress\",\"numericId\":1438,\"slug\":\"kubernetes-operator-cluster-egress\"},{\"label\":\"Ingress\",\"numericId\":1439,\"slug\":\"kubernetes-operator-cluster-ingress\"},{\"label\":\"Cross cluster\",\"numericId\":1442,\"slug\":\"kubernetes-operator-cross-cluster\"},{\"label\":\"Cloud services\",\"numericId\":1440,\"slug\":\"kubernetes-operator-cloud-services\"},{\"label\":\"Subnet routers and exit nodes\",\"numericId\":1441,\"slug\":\"kubernetes-operator-connector\"},{\"label\":\"App connector\",\"numericId\":1517,\"slug\":\"kubernetes-operator-app-connector\"},{\"label\":\"Recorder nodes\",\"numericId\":1484,\"slug\":\"kubernetes-operator-deploying-tsrecorder\"},{\"label\":\"Operator resource customization\",\"numericId\":1445,\"slug\":\"kubernetes-operator-customization\"},{\"label\":\"Troubleshooting\",\"numericId\":1446,\"slug\":\"kubernetes-operator-troubleshooting\"}]}],\"numericId\":1185,\"slug\":\"kubernetes\"},{\"label\":\"LXC containers\",\"numericId\":1130,\"slug\":\"lxc-unprivileged\"},{\"label\":\"Proxmox\",\"numericId\":1133,\"slug\":\"proxmox\"}]},{\"label\":\"Serverless apps\",\"numericId\":1364,\"slug\":\"serverless\",\"items\":[{\"label\":\"AWS App Runner\",\"numericId\":1127,\"slug\":\"aws-app-runner\"},{\"label\":\"AWS Lambda\",\"numericId\":1113,\"slug\":\"aws-lambda\"},{\"label\":\"Fly.io\",\"numericId\":1132,\"slug\":\"flydotio\"},{\"label\":\"Google Cloud Run\",\"numericId\":1108,\"slug\":\"cloudrun\"},{\"label\":\"Heroku\",\"numericId\":1107,\"slug\":\"heroku\"}]},{\"label\":\"Databases\",\"numericId\":1359,\"slug\":\"database\",\"items\":[{\"label\":\"AWS RDS\",\"numericId\":1141,\"slug\":\"aws-rds\"},{\"label\":\"Crunchy Bridge\",\"numericId\":1231,\"slug\":\"crunchy-bridge\"}]},{\"label\":\"Remote environments\",\"items\":[{\"label\":\"code-server\",\"numericId\":1164,\"slug\":\"codeserver\"},{\"label\":\"Coder\",\"numericId\":1163,\"slug\":\"coder\"},{\"label\":\"CodeSandbox\",\"numericId\":1221,\"slug\":\"codesandbox\"},{\"label\":\"GitHub Codespaces\",\"numericId\":1160,\"slug\":\"github-codespaces\"},{\"label\":\"Gitpod\",\"numericId\":1161,\"slug\":\"gitpod\"},{\"label\":\"OpenVSCode\",\"numericId\":1162,\"slug\":\"openvscode\"}],\"numericId\":1363,\"slug\":\"remote-code\"},{\"label\":\"Developer tools\",\"numericId\":1360,\"slug\":\"developer-tools\",\"items\":[{\"label\":\"Visual Studio Code Extension\",\"numericId\":1265,\"slug\":\"vscode-extension\"},{\"label\":\"Tailscale GitHub Action\",\"numericId\":1276,\"slug\":\"tailscale-github-action\"},{\"label\":\"Tailscale with GitLab CI/CD\",\"numericId\":1287,\"slug\":\"tailscale-gitlab-runner\"},{\"label\":\"Docker Desktop\",\"numericId\":1184,\"slug\":\"docker-desktop\"}]},{\"label\":\"Firewalls\",\"numericId\":1361,\"slug\":\"firewall\",\"items\":[{\"label\":\"Overview\",\"numericId\":1181,\"slug\":\"firewalls\"},{\"label\":\"OPNsense\",\"numericId\":1097,\"slug\":\"install-opnsense\"},{\"label\":\"Palo Alto Networks\",\"numericId\":1333,\"slug\":\"firewall-palo-alto-networks\"},{\"label\":\"pfSense\",\"numericId\":1146,\"slug\":\"pfsense\"},{\"label\":\"Firewall mode\",\"numericId\":1294,\"slug\":\"firewall-mode\"}]},{\"label\":\"Web servers\",\"numericId\":1365,\"slug\":\"webserver\",\"items\":[{\"label\":\"Caddy Server\",\"numericId\":1190,\"slug\":\"caddy-certificates\"},{\"label\":\"Traefik Proxy\",\"numericId\":1234,\"slug\":\"traefik-certificates\"}]},{\"label\":\"NAS\",\"numericId\":1307,\"slug\":\"nas\",\"items\":[{\"label\":\"Synology\",\"numericId\":1131,\"slug\":\"synology\"},{\"label\":\"QNAP\",\"numericId\":1273,\"slug\":\"qnap\"},{\"label\":\"TrueNAS SCALE\",\"numericId\":1483,\"slug\":\"truenas-scale\"},{\"label\":\"Unraid\",\"numericId\":1478,\"slug\":\"unraid\"}]}],\"slug\":\"integrations\",\"nodes\":[{\"label\":\"Cloud servers\",\"numericId\":\"integrations\",\"slug\":\"cloud-server\",\"items\":\"$c7\",\"nodes\":[{\"label\":\"AWS Lightsail\",\"numericId\":1128,\"slug\":\"aws-lightsail\",\"nodes\":\"$undefined\"},{\"label\":\"AWS VPC\",\"numericId\":1021,\"slug\":\"install-aws\",\"nodes\":\"$undefined\"},{\"label\":\"Azure App Service\",\"numericId\":1126,\"slug\":\"azure-app-service\",\"nodes\":\"$undefined\"},{\"label\":\"Azure Linux VMs\",\"numericId\":1142,\"slug\":\"cloud-azure-linux\",\"nodes\":\"$undefined\"},{\"label\":\"Azure Windows VMs\",\"numericId\":1143,\"slug\":\"cloud-azure-windows\",\"nodes\":\"$undefined\"},{\"label\":\"Google Compute Engine VMs\",\"numericId\":1147,\"slug\":\"cloud-gce\",\"nodes\":\"$undefined\"},{\"label\":\"Hetzner VMs\",\"numericId\":1150,\"slug\":\"cloud-hetzner\",\"nodes\":\"$undefined\"},{\"label\":\"Oracle Cloud VMs\",\"numericId\":1149,\"slug\":\"cloud-oracle\",\"nodes\":\"$undefined\"}]},{\"label\":\"Containers and virtualization\",\"numericId\":1358,\"slug\":\"containers-and-virtualization\",\"items\":\"$d0\",\"nodes\":[{\"label\":\"Docker\",\"numericId\":1282,\"slug\":\"docker\",\"nodes\":\"$undefined\"},{\"label\":\"Kubernetes\",\"items\":\"$d3\",\"numericId\":1185,\"slug\":\"kubernetes\",\"nodes\":[{\"label\":\"Kubernetes operator\",\"numericId\":1236,\"slug\":\"kubernetes-operator\",\"items\":\"$d5\",\"nodes\":[{\"label\":\"API server proxy\",\"numericId\":1437,\"slug\":\"kubernetes-operator-api-server-proxy\",\"nodes\":\"$undefined\"},{\"label\":\"Egress\",\"numericId\":1438,\"slug\":\"kubernetes-operator-cluster-egress\",\"nodes\":\"$undefined\"},{\"label\":\"Ingress\",\"numericId\":1439,\"slug\":\"kubernetes-operator-cluster-ingress\",\"nodes\":\"$undefined\"},{\"label\":\"Cross cluster\",\"numericId\":1442,\"slug\":\"kubernetes-operator-cross-cluster\",\"nodes\":\"$undefined\"},{\"label\":\"Cloud services\",\"numericId\":1440,\"slug\":\"kubernetes-operator-cloud-services\",\"nodes\":\"$undefined\"},{\"label\":\"Subnet routers and exit nodes\",\"numericId\":1441,\"slug\":\"kubernetes-operator-connector\",\"nodes\":\"$undefined\"},{\"label\":\"App connector\",\"numericId\":1517,\"slug\":\"kubernetes-operator-app-connector\",\"nodes\":\"$undefined\"},{\"label\":\"Recorder nodes\",\"numericId\":1484,\"slug\":\"kubernetes-operator-deploying-tsrecorder\",\"nodes\":\"$undefined\"},{\"label\":\"Operator resource customization\",\"numericId\":1445,\"slug\":\"kubernetes-operator-customization\",\"nodes\":\"$undefined\"},{\"label\":\"Troubleshooting\",\"numericId\":1446,\"slug\":\"kubernetes-operator-troubleshooting\",\"nodes\":\"$undefined\"}]}]},{\"label\":\"LXC containers\",\"numericId\":1130,\"slug\":\"lxc-unprivileged\",\"nodes\":\"$undefined\"},{\"label\":\"Proxmox\",\"numericId\":1133,\"slug\":\"proxmox\",\"nodes\":\"$undefined\"}]},{\"label\":\"Serverless apps\",\"numericId\":1364,\"slug\":\"serverless\",\"items\":\"$e2\",\"nodes\":[{\"label\":\"AWS App Runner\",\"numericId\":1127,\"slug\":\"aws-app-runner\",\"nodes\":\"$undefined\"},{\"label\":\"AWS Lambda\",\"numericId\":1113,\"slug\":\"aws-lambda\",\"nodes\":\"$undefined\"},{\"label\":\"Fly.io\",\"numericId\":1132,\"slug\":\"flydotio\",\"nodes\":\"$undefined\"},{\"label\":\"Google Cloud Run\",\"numericId\":1108,\"slug\":\"cloudrun\",\"nodes\":\"$undefined\"},{\"label\":\"Heroku\",\"numericId\":1107,\"slug\":\"heroku\",\"nodes\":\"$undefined\"}]},{\"label\":\"Databases\",\"numericId\":1359,\"slug\":\"database\",\"items\":\"$e8\",\"nodes\":[{\"label\":\"AWS RDS\",\"numericId\":1141,\"slug\":\"aws-rds\",\"nodes\":\"$undefined\"},{\"label\":\"Crunchy Bridge\",\"numericId\":1231,\"slug\":\"crunchy-bridge\",\"nodes\":\"$undefined\"}]},{\"label\":\"Remote environments\",\"items\":\"$eb\",\"numericId\":1363,\"slug\":\"remote-code\",\"nodes\":[{\"label\":\"code-server\",\"numericId\":1164,\"slug\":\"codeserver\",\"nodes\":\"$undefined\"},{\"label\":\"Coder\",\"numericId\":1163,\"slug\":\"coder\",\"nodes\":\"$undefined\"},{\"label\":\"CodeSandbox\",\"numericId\":1221,\"slug\":\"codesandbox\",\"nodes\":\"$undefined\"},{\"label\":\"GitHub Codespaces\",\"numericId\":1160,\"slug\":\"github-codespaces\",\"nodes\":\"$undefined\"},{\"label\":\"Gitpod\",\"numericId\":1161,\"slug\":\"gitpod\",\"nodes\":\"$undefined\"},{\"label\":\"OpenVSCode\",\"numericId\":1162,\"slug\":\"openvscode\",\"nodes\":\"$undefined\"}]},{\"label\":\"Developer tools\",\"numericId\":1360,\"slug\":\"developer-tools\",\"items\":\"$f2\",\"nodes\":[{\"label\":\"Visual Studio Code Extension\",\"numericId\":1265,\"slug\":\"vscode-extension\",\"nodes\":\"$undefined\"},{\"label\":\"Tailscale GitHub Action\",\"numericId\":1276,\"slug\":\"tailscale-github-action\",\"nodes\":\"$undefined\"},{\"label\":\"Tailscale with GitLab CI/CD\",\"numericId\":1287,\"slug\":\"tailscale-gitlab-runner\",\"nodes\":\"$undefined\"},{\"label\":\"Docker Desktop\",\"numericId\":1184,\"slug\":\"docker-desktop\",\"nodes\":\"$undefined\"}]},{\"label\":\"Firewalls\",\"numericId\":1361,\"slug\":\"firewall\",\"items\":\"$f7\",\"nodes\":[{\"label\":\"Overview\",\"numericId\":1181,\"slug\":\"firewalls\",\"nodes\":\"$undefined\"},{\"label\":\"OPNsense\",\"numericId\":1097,\"slug\":\"install-opnsense\",\"nodes\":\"$undefined\"},{\"label\":\"Palo Alto Networks\",\"numericId\":1333,\"slug\":\"firewall-palo-alto-networks\",\"nodes\":\"$undefined\"},{\"label\":\"pfSense\",\"numericId\":1146,\"slug\":\"pfsense\",\"nodes\":\"$undefined\"},{\"label\":\"Firewall mode\",\"numericId\":1294,\"slug\":\"firewall-mode\",\"nodes\":\"$undefined\"}]},{\"label\":\"Web servers\",\"numericId\":1365,\"slug\":\"webserver\",\"items\":\"$fd\",\"nodes\":[{\"label\":\"Caddy Server\",\"numericId\":1190,\"slug\":\"caddy-certificates\",\"nodes\":\"$undefined\"},{\"label\":\"Traefik Proxy\",\"numericId\":1234,\"slug\":\"traefik-certificates\",\"nodes\":\"$undefined\"}]},{\"label\":\"NAS\",\"numericId\":1307,\"slug\":\"nas\",\"items\":\"$100\",\"nodes\":[{\"label\":\"Synology\",\"numericId\":1131,\"slug\":\"synology\",\"nodes\":\"$undefined\"},{\"label\":\"QNAP\",\"numericId\":1273,\"slug\":\"qnap\",\"nodes\":\"$undefined\"},{\"label\":\"TrueNAS SCALE\",\"numericId\":1483,\"slug\":\"truenas-scale\",\"nodes\":\"$undefined\"},{\"label\":\"Unraid\",\"numericId\":1478,\"slug\":\"unraid\",\"nodes\":\"$undefined\"}]}]},{\"label\":\"FAQ\",\"numericId\":1366,\"slug\":\"faq\",\"nodes\":\"$undefined\"},{\"label\":\"Logging, Streaming, and Events\",\"numericId\":1349,\"slug\":\"log-events\",\"items\":[{\"label\":\"Logging overview\",\"numericId\":1011,\"slug\":\"log-mesh-traffic\"},{\"label\":\"Configuration audit logging\",\"numericId\":1203,\"slug\":\"audit-logging\"},{\"label\":\"Network flow logs\",\"numericId\":1219,\"slug\":\"network-flow-logs\"},{\"label\":\"Log streaming\",\"numericId\":1255,\"slug\":\"log-streaming\"},{\"label\":\"SSH session recording\",\"numericId\":1246,\"slug\":\"tailscale-ssh-session-recording\",\"items\":[{\"label\":\"Send recordings to S3\",\"numericId\":1263,\"slug\":\"session-recording-s3\"},{\"label\":\"Deploy multiple recorder nodes\",\"numericId\":1262,\"slug\":\"multiple-recorder-nodes\"}]},{\"label\":\"Client metrics\",\"numericId\":1482,\"slug\":\"client-metrics\"},{\"label\":\"Webhooks\",\"numericId\":1213,\"slug\":\"webhooks\"}],\"nodes\":[{\"label\":\"Logging overview\",\"numericId\":1011,\"slug\":\"log-mesh-traffic\",\"nodes\":\"$undefined\"},{\"label\":\"Configuration audit logging\",\"numericId\":1203,\"slug\":\"audit-logging\",\"nodes\":\"$undefined\"},{\"label\":\"Network flow logs\",\"numericId\":1219,\"slug\":\"network-flow-logs\",\"nodes\":\"$undefined\"},{\"label\":\"Log streaming\",\"numericId\":1255,\"slug\":\"log-streaming\",\"nodes\":\"$undefined\"},{\"label\":\"SSH session recording\",\"numericId\":1246,\"slug\":\"tailscale-ssh-session-recording\",\"items\":\"$105\",\"nodes\":[{\"label\":\"Send recordings to S3\",\"numericId\":1263,\"slug\":\"session-recording-s3\",\"nodes\":\"$undefined\"},{\"label\":\"Deploy multiple recorder nodes\",\"numericId\":1262,\"slug\":\"multiple-recorder-nodes\",\"nodes\":\"$undefined\"}]},{\"label\":\"Client metrics\",\"numericId\":1482,\"slug\":\"client-metrics\",\"nodes\":\"$undefined\"},{\"label\":\"Webhooks\",\"numericId\":1213,\"slug\":\"webhooks\",\"nodes\":\"$undefined\"}]},{\"label\":\"Manage Your Organization\",\"numericId\":1431,\"slug\":\"manage-account\",\"items\":[{\"label\":\"Contact preferences\",\"numericId\":1224,\"slug\":\"contract-preferences\"},{\"label\":\"Pricing and billing\",\"numericId\":1375,\"slug\":\"pb-lp\",\"items\":[{\"label\":\"Pricing ↗\",\"href\":\"/pricing\"},{\"label\":\"Pricing \u0026 Plans FAQ\",\"numericId\":1251,\"slug\":\"pricing-faq\"},{\"label\":\"Free plans and discounts\",\"numericId\":1154,\"slug\":\"free-plans-discounts\"},{\"label\":\"Modify billing\",\"numericId\":1182,\"slug\":\"billing-information\"},{\"label\":\"Tailscale on Azure Marketplace\",\"numericId\":1220,\"slug\":\"azure-marketplace\"}]},{\"label\":\"Tailnet name\",\"numericId\":1217,\"slug\":\"tailnet-name\"},{\"label\":\"Domain ownership\",\"numericId\":1259,\"slug\":\"domain-ownership\"}],\"nodes\":[{\"label\":\"Contact preferences\",\"numericId\":1224,\"slug\":\"contract-preferences\",\"nodes\":\"$undefined\"},{\"label\":\"Pricing and billing\",\"numericId\":1375,\"slug\":\"pb-lp\",\"items\":\"$108\",\"nodes\":[{\"label\":\"Pricing ↗\",\"href\":\"/pricing\",\"nodes\":\"$undefined\"},{\"label\":\"Pricing \u0026 Plans FAQ\",\"numericId\":1251,\"slug\":\"pricing-faq\",\"nodes\":\"$undefined\"},{\"label\":\"Free plans and discounts\",\"numericId\":1154,\"slug\":\"free-plans-discounts\",\"nodes\":\"$undefined\"},{\"label\":\"Modify billing\",\"numericId\":1182,\"slug\":\"billing-information\",\"nodes\":\"$undefined\"},{\"label\":\"Tailscale on Azure Marketplace\",\"numericId\":1220,\"slug\":\"azure-marketplace\",\"nodes\":\"$undefined\"}]},{\"label\":\"Tailnet name\",\"numericId\":1217,\"slug\":\"tailnet-name\",\"nodes\":\"$undefined\"},{\"label\":\"Domain ownership\",\"numericId\":1259,\"slug\":\"domain-ownership\",\"nodes\":\"$undefined\"}]},{\"label\":\"Reference\",\"numericId\":1367,\"slug\":\"reference\",\"items\":[{\"label\":\"ACL syntax\",\"numericId\":1337,\"slug\":\"acl-syntax\",\"items\":[{\"label\":\"Grants\",\"numericId\":1324,\"slug\":\"acl-grants\"},{\"label\":\"IP sets\",\"numericId\":1387,\"slug\":\"ipsets\"},{\"label\":\"Via in grants\",\"numericId\":1378,\"slug\":\"via\"}]},{\"label\":\"ACL samples\",\"numericId\":1192,\"slug\":\"acl-samples\"},{\"label\":\"CLI\",\"numericId\":1080,\"slug\":\"cli\",\"items\":[{\"label\":\"tailscale funnel\",\"numericId\":1311,\"slug\":\"tailscale-funnel\"},{\"label\":\"tailscale lock\",\"numericId\":1243,\"slug\":\"tailscale-lock\"},{\"label\":\"tailscale serve\",\"numericId\":1242,\"slug\":\"tailscale-serve\"},{\"label\":\"tailscale up\",\"numericId\":1241,\"slug\":\"tailscale-up\"},{\"label\":\"tailscaled\",\"numericId\":1278,\"slug\":\"tailscaled\"}]},{\"label\":\"API\",\"numericId\":1101,\"slug\":\"api\",\"items\":[{\"label\":\"OAuth clients\",\"numericId\":1215,\"slug\":\"oauth-clients\"},{\"label\":\"tsnet for Go programs\",\"numericId\":1244,\"slug\":\"tsnet\",\"items\":[{\"label\":\"Hello tsnet\",\"numericId\":1521,\"slug\":\"hello-tsnet\"},{\"label\":\"tsnet.Server\",\"numericId\":1522,\"slug\":\"tsnet-server\"}]}]},{\"label\":\"Key prefixes\",\"numericId\":1277,\"slug\":\"key-prefixes\"},{\"label\":\"Production best practices\",\"numericId\":1300,\"slug\":\"production-best-practices\",\"items\":[{\"label\":\"Deployment checklist\",\"numericId\":1344,\"slug\":\"deployment-checklist\"},{\"label\":\"Security best practices\",\"items\":[{\"label\":\"Key and secret management\",\"numericId\":1252,\"slug\":\"key-secret-management\"},{\"label\":\"Secret scanning\",\"numericId\":1301,\"slug\":\"secret-scanning\"},{\"label\":\"Admin with passkey\",\"numericId\":1341,\"slug\":\"tailnet-passkey-admin\"}],\"numericId\":1196,\"slug\":\"security-hardening\"},{\"label\":\"Performance best practices\",\"numericId\":1320,\"slug\":\"performance-best-practices\"},{\"label\":\"AWS reference architecture\",\"numericId\":1296,\"slug\":\"aws-reference-architecture\"},{\"label\":\"Azure reference architecture\",\"numericId\":1314,\"slug\":\"azure-reference-architecture\"}]},{\"label\":\"Shared responsibility\",\"numericId\":1212,\"slug\":\"shared-responsibility\"},{\"label\":\"Technical overviews\",\"numericId\":1376,\"slug\":\"tech-overviews\",\"items\":[{\"label\":\"About WireGuard\",\"numericId\":1035,\"slug\":\"wireguard\"},{\"label\":\"Tailscale encryption\",\"numericId\":1504,\"slug\":\"encryption\"},{\"label\":\"Control and data planes\",\"numericId\":1508,\"slug\":\"control-data-planes\"},{\"label\":\"Direct vs relayed connections\",\"numericId\":1257,\"slug\":\"connection-types\"},{\"label\":\"Device connectivity\",\"numericId\":1411,\"slug\":\"device-connectivity\"},{\"label\":\"How Tailscale assigns IP addresses\",\"numericId\":1033,\"slug\":\"ip-and-dns-addresses\"},{\"label\":\"Tailscale and the OSI model\",\"numericId\":1456,\"slug\":\"osi\"},{\"label\":\"Smaller binaries for embedded devices\",\"numericId\":1207,\"slug\":\"small-tailscale\"},{\"label\":\"Kernel vs. netstack subnet routing \u0026 exit nodes\",\"numericId\":1177,\"slug\":\"kernel-vs-userspace-routers\"},{\"label\":\"Userspace networking mode\",\"numericId\":1112,\"slug\":\"userspace-networking\"},{\"label\":\"Node keys\",\"numericId\":1010,\"slug\":\"node-keys\"},{\"label\":\"Protect SSH Servers\",\"numericId\":1009,\"slug\":\"protect-ssh-servers\"},{\"label\":\"Tailnet lock white paper\",\"numericId\":1230,\"slug\":\"tailnet-lock-whitepaper\"},{\"label\":\"DERP servers\",\"numericId\":1232,\"slug\":\"derp-servers\"},{\"label\":\"Zero Trust Networking (ZTN)\",\"numericId\":1123,\"slug\":\"zero-trust\"},{\"label\":\"IPv4 vs. IPv6 FAQ\",\"numericId\":1134,\"slug\":\"ipv6-faq\"}]},{\"label\":\"Terminology and concepts\",\"numericId\":1155,\"slug\":\"terminology-and-concepts\"},{\"label\":\"GitHub ↗\",\"href\":\"https://github.com/tailscale/tailscale\"}],\"nodes\":[{\"label\":\"ACL syntax\",\"numericId\":1337,\"slug\":\"acl-syntax\",\"items\":\"$10e\",\"nodes\":[{\"label\":\"Grants\",\"numericId\":1324,\"slug\":\"acl-grants\",\"nodes\":\"$undefined\"},{\"label\":\"IP sets\",\"numericId\":1387,\"slug\":\"ipsets\",\"nodes\":\"$undefined\"},{\"label\":\"Via in grants\",\"numericId\":1378,\"slug\":\"via\",\"nodes\":\"$undefined\"}]},{\"label\":\"ACL samples\",\"numericId\":1192,\"slug\":\"acl-samples\",\"nodes\":\"$undefined\"},{\"label\":\"CLI\",\"numericId\":1080,\"slug\":\"cli\",\"items\":\"$112\",\"nodes\":[{\"label\":\"tailscale funnel\",\"numericId\":1311,\"slug\":\"tailscale-funnel\",\"nodes\":\"$undefined\"},{\"label\":\"tailscale lock\",\"numericId\":1243,\"slug\":\"tailscale-lock\",\"nodes\":\"$undefined\"},{\"label\":\"tailscale serve\",\"numericId\":1242,\"slug\":\"tailscale-serve\",\"nodes\":\"$undefined\"},{\"label\":\"tailscale up\",\"numericId\":1241,\"slug\":\"tailscale-up\",\"nodes\":\"$undefined\"},{\"label\":\"tailscaled\",\"numericId\":1278,\"slug\":\"tailscaled\",\"nodes\":\"$undefined\"}]},{\"label\":\"API\",\"numericId\":1101,\"slug\":\"api\",\"items\":\"$118\",\"nodes\":[{\"label\":\"OAuth clients\",\"numericId\":1215,\"slug\":\"oauth-clients\",\"nodes\":\"$undefined\"},{\"label\":\"tsnet for Go programs\",\"numericId\":1244,\"slug\":\"tsnet\",\"items\":\"$11b\",\"nodes\":[{\"label\":\"Hello tsnet\",\"numericId\":1521,\"slug\":\"hello-tsnet\",\"nodes\":\"$undefined\"},{\"label\":\"tsnet.Server\",\"numericId\":1522,\"slug\":\"tsnet-server\",\"nodes\":\"$undefined\"}]}]},{\"label\":\"Key prefixes\",\"numericId\":1277,\"slug\":\"key-prefixes\",\"nodes\":\"$undefined\"},{\"label\":\"Production best practices\",\"numericId\":1300,\"slug\":\"production-best-practices\",\"items\":\"$11e\",\"nodes\":[{\"label\":\"Deployment checklist\",\"numericId\":1344,\"slug\":\"deployment-checklist\",\"nodes\":\"$undefined\"},{\"label\":\"Security best practices\",\"items\":\"$121\",\"numericId\":1196,\"slug\":\"security-hardening\",\"nodes\":[{\"label\":\"Key and secret management\",\"numericId\":1252,\"slug\":\"key-secret-management\",\"nodes\":\"$undefined\"},{\"label\":\"Secret scanning\",\"numericId\":1301,\"slug\":\"secret-scanning\",\"nodes\":\"$undefined\"},{\"label\":\"Admin with passkey\",\"numericId\":1341,\"slug\":\"tailnet-passkey-admin\",\"nodes\":\"$undefined\"}]},{\"label\":\"Performance best practices\",\"numericId\":1320,\"slug\":\"performance-best-practices\",\"nodes\":\"$undefined\"},{\"label\":\"AWS reference architecture\",\"numericId\":1296,\"slug\":\"aws-reference-architecture\",\"nodes\":\"$undefined\"},{\"label\":\"Azure reference architecture\",\"numericId\":1314,\"slug\":\"azure-reference-architecture\",\"nodes\":\"$undefined\"}]},{\"label\":\"Shared responsibility\",\"numericId\":1212,\"slug\":\"shared-responsibility\",\"nodes\":\"$undefined\"},{\"label\":\"Technical overviews\",\"numericId\":1376,\"slug\":\"tech-overviews\",\"items\":\"$128\",\"nodes\":[{\"label\":\"About WireGuard\",\"numericId\":1035,\"slug\":\"wireguard\",\"nodes\":\"$undefined\"},{\"label\":\"Tailscale encryption\",\"numericId\":1504,\"slug\":\"encryption\",\"nodes\":\"$undefined\"},{\"label\":\"Control and data planes\",\"numericId\":1508,\"slug\":\"control-data-planes\",\"nodes\":\"$undefined\"},{\"label\":\"Direct vs relayed connections\",\"numericId\":1257,\"slug\":\"connection-types\",\"nodes\":\"$undefined\"},{\"label\":\"Device connectivity\",\"numericId\":1411,\"slug\":\"device-connectivity\",\"nodes\":\"$undefined\"},{\"label\":\"How Tailscale assigns IP addresses\",\"numericId\":1033,\"slug\":\"ip-and-dns-addresses\",\"nodes\":\"$undefined\"},{\"label\":\"Tailscale and the OSI model\",\"numericId\":1456,\"slug\":\"osi\",\"nodes\":\"$undefined\"},{\"label\":\"Smaller binaries for embedded devices\",\"numericId\":1207,\"slug\":\"small-tailscale\",\"nodes\":\"$undefined\"},{\"label\":\"Kernel vs. netstack subnet routing \u0026 exit nodes\",\"numericId\":1177,\"slug\":\"kernel-vs-userspace-routers\",\"nodes\":\"$undefined\"},{\"label\":\"Userspace networking mode\",\"numericId\":1112,\"slug\":\"userspace-networking\",\"nodes\":\"$undefined\"},{\"label\":\"Node keys\",\"numericId\":1010,\"slug\":\"node-keys\",\"nodes\":\"$undefined\"},{\"label\":\"Protect SSH Servers\",\"numericId\":1009,\"slug\":\"protect-ssh-servers\",\"nodes\":\"$undefined\"},{\"label\":\"Tailnet lock white paper\",\"numericId\":1230,\"slug\":\"tailnet-lock-whitepaper\",\"nodes\":\"$undefined\"},{\"label\":\"DERP servers\",\"numericId\":1232,\"slug\":\"derp-servers\",\"nodes\":\"$undefined\"},{\"label\":\"Zero Trust Networking (ZTN)\",\"numericId\":1123,\"slug\":\"zero-trust\",\"nodes\":\"$undefined\"},{\"label\":\"IPv4 vs. IPv6 FAQ\",\"numericId\":1134,\"slug\":\"ipv6-faq\",\"nodes\":\"$undefined\"}]},{\"label\":\"Terminology and concepts\",\"numericId\":1155,\"slug\":\"terminology-and-concepts\",\"nodes\":\"$undefined\"},{\"label\":\"GitHub ↗\",\"href\":\"https://github.com/tailscale/tailscale\",\"nodes\":\"$undefined\"}]},{\"label\":\"Get Support\",\"numericId\":1432,\"slug\":\"get-support\",\"items\":[{\"label\":\"Troubleshooting\",\"numericId\":1023,\"slug\":\"troubleshooting\",\"items\":[{\"label\":\"Troubleshoot device connectivity\",\"numericId\":1463,\"slug\":\"troubleshoot-connectivity\"}]},{\"label\":\"Support options\",\"numericId\":1250,\"slug\":\"support-options\"},{\"label\":\"Contact support ↗\",\"href\":\"/contact/support\"},{\"label\":\"Generate a bug report\",\"numericId\":1227,\"slug\":\"bug-report\"}],\"nodes\":[{\"label\":\"Troubleshooting\",\"numericId\":1023,\"slug\":\"troubleshooting\",\"items\":\"$139\",\"nodes\":[{\"label\":\"Troubleshoot device connectivity\",\"numericId\":1463,\"slug\":\"troubleshoot-connectivity\",\"nodes\":\"$undefined\"}]},{\"label\":\"Support options\",\"numericId\":1250,\"slug\":\"support-options\",\"nodes\":\"$undefined\"},{\"label\":\"Contact support ↗\",\"href\":\"/contact/support\",\"nodes\":\"$undefined\"},{\"label\":\"Generate a bug report\",\"numericId\":1227,\"slug\":\"bug-report\",\"nodes\":\"$undefined\"}]},{\"label\":\"Resources\",\"numericId\":1368,\"slug\":\"resources\",\"items\":[{\"label\":\"Changelog ↗\",\"href\":\"/changelog\"},{\"label\":\"Comparisons ↗\",\"href\":\"/compare\"},{\"label\":\"Release stages\",\"numericId\":1167,\"slug\":\"release-stages\"},{\"label\":\"Security ↗\",\"href\":\"/security\"},{\"label\":\"Versions\",\"numericId\":1168,\"slug\":\"versions\",\"items\":[{\"label\":\"Unstable builds\",\"numericId\":1083,\"slug\":\"install-unstable\"}]},{\"label\":\"Use cases\",\"numericId\":1377,\"slug\":\"use-cases\"},{\"label\":\"Invite only features\",\"numericId\":1222,\"slug\":\"invite-only-feature\"}],\"nodes\":[{\"label\":\"Changelog ↗\",\"href\":\"/changelog\",\"nodes\":\"$undefined\"},{\"label\":\"Comparisons ↗\",\"href\":\"/compare\",\"nodes\":\"$undefined\"},{\"label\":\"Release stages\",\"numericId\":1167,\"slug\":\"release-stages\",\"nodes\":\"$undefined\"},{\"label\":\"Security ↗\",\"href\":\"/security\",\"nodes\":\"$undefined\"},{\"label\":\"Versions\",\"numericId\":1168,\"slug\":\"versions\",\"items\":\"$13b\",\"nodes\":[{\"label\":\"Unstable builds\",\"numericId\":1083,\"slug\":\"install-unstable\",\"nodes\":\"$undefined\"}]},{\"label\":\"Use cases\",\"numericId\":1377,\"slug\":\"use-cases\",\"nodes\":\"$undefined\"},{\"label\":\"Invite only features\",\"numericId\":1222,\"slug\":\"invite-only-feature\",\"nodes\":\"$undefined\"}]}]}]}],[\"$\",\"div\",null,{\"className\":\"relative pb-6 md:hidden\",\"children\":[\"$\",\"$L13d\",null,{\"routeParams\":\"$13e\",\"config\":\"$13f\"}]}]]}],[\"$\",\"div\",null,{\"className\":\"col-span-10 mb-8 md:col-span-7 xl:col-span-6\",\"children\":[\"$\",\"div\",null,{\"className\":\"max-w-3xl xl:mx-auto\",\"children\":[[\"$\",\"div\",null,{\"className\":\"pb-8\",\"children\":[\"$\",\"$2e3\",null,{\"children\":[\"$\",\"$L2e4\",null,{\"initialQuery\":\"$undefined\"}]}]}],[\"$\",\"article\",null,{\"id\":\"main-content\",\"className\":\"prism markdown-content js-docHighlight\",\"children\":[[\"$\",\"header\",null,{\"className\":\"mb-2 hidden md:flex\",\"children\":[[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"{\\\"@context\\\":\\\"https://schema.org\\\",\\\"@type\\\":\\\"BreadcrumbList\\\",\\\"itemListElement\\\":[{\\\"@type\\\":\\\"ListItem\\\",\\\"position\\\":1,\\\"name\\\":\\\"Docs\\\",\\\"item\\\":\\\"/kb\\\"},{\\\"@type\\\":\\\"ListItem\\\",\\\"position\\\":2,\\\"name\\\":\\\"How-to Guides\\\",\\\"item\\\":\\\"/kb/1348/guides\\\"},{\\\"@type\\\":\\\"ListItem\\\",\\\"position\\\":3,\\\"name\\\":\\\"Manage Access\\\",\\\"item\\\":\\\"/kb/1350/manage\\\"},{\\\"@type\\\":\\\"ListItem\\\",\\\"position\\\":4,\\\"name\\\":\\\"Manage access control\\\",\\\"item\\\":\\\"/kb/1393/access-control\\\"},{\\\"@type\\\":\\\"ListItem\\\",\\\"position\\\":5,\\\"name\\\":\\\"Manage ACLs\\\",\\\"item\\\":\\\"/kb/1018/acls\\\"},{\\\"@type\\\":\\\"ListItem\\\",\\\"position\\\":6,\\\"name\\\":\\\"ACL syntax\\\",\\\"item\\\":\\\"/kb/1337/acl-syntax\\\"}]}\"}}],[\"$\",\"nav\",null,{\"className\":\"flex min-w-0 items-center gap-2 whitespace-nowrap text-sm font-medium\",\"children\":[[\"$\",\"$2e5\",\"/kb\",{\"children\":[[\"$\",\"$L16\",null,{\"className\":\"transition-color text-gray-600 hover:text-gray-800\",\"href\":\"/kb\",\"children\":\"Docs\"}],[\"$\",\"span\",null,{\"className\":\"select-none text-gray-500\",\"children\":\"›\"}]]}],[\"$\",\"$2e5\",\"/kb/1348/guides\",{\"children\":[[\"$\",\"$L16\",null,{\"className\":\"transition-color text-gray-600 hover:text-gray-800\",\"href\":\"/kb/1348/guides\",\"children\":\"How-to Guides\"}],[\"$\",\"span\",null,{\"className\":\"select-none text-gray-500\",\"children\":\"›\"}]]}],[\"$\",\"$2e5\",\"/kb/1350/manage\",{\"children\":[[\"$\",\"$L16\",null,{\"className\":\"transition-color text-gray-600 hover:text-gray-800\",\"href\":\"/kb/1350/manage\",\"children\":\"Manage Access\"}],[\"$\",\"span\",null,{\"className\":\"select-none text-gray-500\",\"children\":\"›\"}]]}],[\"$\",\"$2e5\",\"/kb/1393/access-control\",{\"children\":[[\"$\",\"$L16\",null,{\"className\":\"transition-color text-gray-600 hover:text-gray-800\",\"href\":\"/kb/1393/access-control\",\"children\":\"Manage access control\"}],[\"$\",\"span\",null,{\"className\":\"select-none text-gray-500\",\"children\":\"›\"}]]}],[\"$\",\"$2e5\",\"/kb/1018/acls\",{\"children\":[[\"$\",\"$L16\",null,{\"className\":\"transition-color text-gray-600 hover:text-gray-800\",\"href\":\"/kb/1018/acls\",\"children\":\"Manage ACLs\"}],[\"$\",\"span\",null,{\"className\":\"select-none text-gray-500\",\"children\":\"›\"}]]}],[\"$\",\"span\",null,{\"className\":\"text-gray-800\",\"children\":\"ACL syntax\"}]]}]]}],[\"$\",\"h1\",null,{\"className\":\"mb-4 text-4xl font-medium tracking-tight\",\"children\":\"ACL syntax\"}],[\"$\",\"$L2e6\",null,{\"fallback\":[\"$\",\"div\",null,{\"className\":\"max-w-xl rounded-lg border p-6 lg:p-8\",\"children\":[[\"$\",\"h4\",null,{\"className\":\"mb-1 text-lg font-semibold tracking-tight\",\"children\":\"Sorry, an error occurred\"}],[\"$\",\"div\",null,{\"className\":\"ts-prose\",\"children\":[\"$\",\"p\",null,{\"children\":[\"There was an error while rendering the content for this page. \",[\"$\",\"span\",null,{\"className\":\"whitespace-nowrap\",\"children\":\"Please try again\"}],\" later, or\",\" \",[\"$\",\"$L16\",null,{\"href\":\"/contact/support\",\"className\":\"link\",\"children\":\"contact support\"}],\" \",\"for help.\"]}]}]]}],\"children\":[\"$\",\"div\",null,{\"className\":\"ts-prose\",\"children\":[\"$\",\"$2e3\",null,{\"children\":[[\"$\",\"p\",null,{\"children\":[\"You can write Tailscale \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1393/access-control\",\"children\":\"access control\"}],\" rules such as \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1018/acls\",\"children\":\"ACLs\"}],\" and \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1324/grants\",\"children\":\"grants\"}],\" in the tailnet policy file, which is expressed in \",[\"$\",\"a\",null,{\"href\":\"https://github.com/tailscale/hujson\",\"children\":\"human JSON (HuJSON)\"}],\".\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"The tailnet policy file has the following top-level sections relating to ACLs:\"}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#acls\",\"children\":[\"Access control lists (\",[\"$\",\"code\",null,{\"children\":\"acls\"}],\")\"]}]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#grants\",\"children\":[\"Grants (\",[\"$\",\"code\",null,{\"children\":\"grants\"}],\")\"]}]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#groups\",\"children\":[\"Groups (\",[\"$\",\"code\",null,{\"children\":\"groups\"}],\")\"]}]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#hosts\",\"children\":[\"Hosts (\",[\"$\",\"code\",null,{\"children\":\"hosts\"}],\")\"]}]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#postures\",\"children\":[\"Postures (\",[\"$\",\"code\",null,{\"children\":\"postures\"}],\")\"]}]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#tag-owners\",\"children\":[\"Tag owners (\",[\"$\",\"code\",null,{\"children\":\"tagOwners\"}],\")\"]}]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#autoapprovers\",\"children\":[\"Auto approvers (\",[\"$\",\"code\",null,{\"children\":\"autoApprovers\"}],\")\"]}]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#ssh\",\"children\":[\"SSH (\",[\"$\",\"code\",null,{\"children\":\"ssh\"}],\")\"]}]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#nodeattrs\",\"children\":[\"Node attributes (\",[\"$\",\"code\",null,{\"children\":\"nodeAttrs\"}],\")\"]}]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#tests\",\"children\":[\"Tests (\",[\"$\",\"code\",null,{\"children\":\"tests\"}],\")\"]}]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#sshtests\",\"children\":[\"SSH test (\",[\"$\",\"code\",null,{\"children\":\"sshTests\"}],\")\"]}]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#ipsets\",\"children\":[\"IP sets (\",[\"$\",\"code\",null,{\"children\":\"ipsets\"}],\")\"]}]}],\"\\n\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"$\",\"p\",null,{\"children\":[\"The tailnet policy file also contains \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1324/grants\",\"children\":\"grants\"}],\" and the following \",[\"$\",\"a\",null,{\"href\":\"#network-policy-options\",\"children\":\"network-wide policy settings\"}],\" (unrelated to access control): \",[\"$\",\"code\",null,{\"children\":\"derpMap\"}],\", \",[\"$\",\"code\",null,{\"children\":\"disableIPv4\"}],\", and \",[\"$\",\"code\",null,{\"children\":\"randomizeClientPort\"}],\".\"]}]]}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"acls\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"access-rules\",\"children\":\"Access rules\",\"level\":2}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"acls\"}],\" section lists access rules for your tailnet. Each rule grants access from a set of sources to a set of destinations.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Access rules can use \",[\"$\",\"a\",null,{\"href\":\"#groups\",\"children\":\"groups\"}],\" and \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1068/tags\",\"children\":\"tags\"}],\" to grant access to pre-defined sets of users and assign service role accounts to nodes. Together, groups and tags let you build powerful \",[\"$\",\"$L16\",null,{\"href\":\"/blog/rbac-like-it-was-meant-to-be\",\"children\":\"role-based access control (RBAC)\"}],\" policies.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"Tailscale automatically translates all ACLs to lower-level rules that allow traffic from a source IP address to a destination IP address and port.\"}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The following example shows an access rule with an \",[\"$\",\"code\",null,{\"children\":\"action\"}],\", \",[\"$\",\"code\",null,{\"children\":\"src\"}],\", \",[\"$\",\"code\",null,{\"children\":\"proto\"}],\", and \",[\"$\",\"code\",null,{\"children\":\"dst\"}],\".\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"{\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [ \u003clist-of-sources\u003e ],\\n \\\"proto\\\": \\\"tcp\\\", // optional\\n \\\"dst\\\": [ \u003clist-of-destinations\u003e ],\\n}\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-2\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-6\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-9\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\" \u003clist-of-sources\u003e \",[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-14\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token property\",\"children\":[\"\\\"proto\\\"\"]}],[\"$\",\"span\",\"fract-0-17\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token string\",\"children\":[\"\\\"tcp\\\"\"]}],[\"$\",\"span\",\"fract-0-20\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-22\",{\"className\":\"token comment\",\"children\":[\"// optional\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-25\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\" \u003clist-of-destinations\u003e \",[\"$\",\"span\",\"fract-0-29\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-30\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-32\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"acl\"}],\" section of the tailnet policy supports the legacy fields \",[\"$\",\"code\",null,{\"children\":\"users\"}],\" and \",[\"$\",\"code\",null,{\"children\":\"ports\"}],\", but the best practice is to use \",[\"$\",\"code\",null,{\"children\":\"src\"}],\" (instead of \",[\"$\",\"code\",null,{\"children\":\"users\"}],\") and \",[\"$\",\"code\",null,{\"children\":\"dst\"}],\" (instead of \",[\"$\",\"code\",null,{\"children\":\"ports\"}],\").\"]}]]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"action\",\"children\":[\"$\",\"code\",null,{\"children\":\"action\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Tailscale access rules deny access by default. As a result, the only possible \",[\"$\",\"code\",null,{\"children\":\"action\"}],\" is \",[\"$\",\"code\",null,{\"children\":\"accept\"}],\". \",[\"$\",\"code\",null,{\"children\":\"accept\"}],\" allows traffic from the source (\",[\"$\",\"code\",null,{\"children\":\"src\"}],\") to the destination (\",[\"$\",\"code\",null,{\"children\":\"dst\"}],\").\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"src\",\"children\":[\"$\",\"code\",null,{\"children\":\"src\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"src\"}],\" field specifies a list of sources to which the rule applies. Each element in the list can be one of the following:\"]}],\"\\n\",[\"$\",\"table\",null,{\"className\":\"w-full\",\"children\":[[\"$\",\"thead\",null,{\"children\":[\"$\",\"tr\",null,{\"children\":[[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Type\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Example\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Description\"}]}]]}]}],[\"$\",\"tbody\",null,{\"className\":\"fs-small\",\"children\":[[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Any\"}],[\"$\",\"td\",null,{\"children\":\"*\"}],[\"$\",\"td\",null,{\"children\":[\"All traffic originating from Tailscale devices in your tailnet, any approved subnets and \",[\"$\",\"code\",null,{\"children\":\"autogroup:shared\"}],\". It does not allow traffic originating from non-tailscale devices (unless it is an approved route).\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"User\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"shreya@example.com\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes all the provided user's devices.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#groups\",\"children\":\"Group\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"group:\u003cgroup-name\u003e\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes all users in the provided group.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Tailscale IP\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"100.101.102.103\"}]}],[\"$\",\"td\",null,{\"children\":[\"Includes only the device that owns the provided Tailscale IP. IPv6 addresses must follow the format \",[\"$\",\"code\",null,{\"children\":\"[1:2:3::4]:80\"}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[[\"$\",\"a\",null,{\"href\":\"/kb/1019/subnets\",\"children\":\"Subnet\"}],\" CIDR Range\"]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"192.168.1.0/24\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes any IP address within the provided subnet.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#hosts\",\"children\":\"Host\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"my-host\"}]}],[\"$\",\"td\",null,{\"children\":[\"Includes the Tailscale IP address or CIDR in the \",[\"$\",\"code\",null,{\"children\":\"hosts\"}],\" section.\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"/kb/1068/tags\",\"children\":\"Tag\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"tag:production\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes all devices with the provided tag.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#autogroups\",\"children\":\"Autogroup\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:\u003crole|property\u003e\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes devices of users, destinations, or usernames with the same properties or roles.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#autogroups\",\"children\":\"Autogroup (all)\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:danger-all\"}]}],[\"$\",\"td\",null,{\"children\":\"A special autogroup that selects all sources including those outside your tailnet.\"}]]}]]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"You can optionally include the \",[\"$\",\"code\",null,{\"children\":\"srcPosture\"}],\" field to further restrict \",[\"$\",\"code\",null,{\"children\":\"src\"}],\" devices to the ones matching a set of \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1288/device-posture/#device-posture-conditions\",\"children\":\"device posture conditions\"}],\".\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"proto\",\"children\":[\"$\",\"code\",null,{\"children\":\"proto\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"proto\"}],\" field is an optional field you can use to specify the protocol to which the rule applies. Without a protocol, the access rule applies to all TCP and UDP traffic.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"You can specify \",[\"$\",\"code\",null,{\"children\":\"proto\"}],\" as an \",[\"$\",\"a\",null,{\"href\":\"https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml\",\"children\":\"IANA IP protocol number\"}],\" \",[\"$\",\"code\",null,{\"children\":\"1-255\"}],\" (for example, \",[\"$\",\"code\",null,{\"children\":\"\\\"16\\\"\"}],\") or one of the supported named aliases.\"]}],\"\\n\",[\"$\",\"br\",null,{}],\"\\n\",[\"$\",\"details\",null,{\"children\":[[\"$\",\"summary\",null,{\"children\":\"Expand to view all named aliases.\"}],[\"$\",\"table\",null,{\"className\":\"w-full\",\"children\":[[\"$\",\"thead\",null,{\"children\":[\"$\",\"tr\",null,{\"children\":[[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Protocol\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"proto\"}]}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"IANA protocol number\"}]}]]}]}],[\"$\",\"tbody\",null,{\"className\":\"fs-small\",\"children\":[[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Internet Group Management (IGMP)\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"igmp\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"2\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"IPv4 encapsulation\"}],[\"$\",\"td\",null,{\"children\":[[\"$\",\"code\",null,{\"children\":\"ipv4\"}],\", \",[\"$\",\"code\",null,{\"children\":\"ip-in-ip\"}]]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"4\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Transmission Control (TCP)\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"tcp\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"6\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Exterior Gateway Protocol (EGP)\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"egp\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"8\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Any private interior gateway\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"igp\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"9\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"User Datagram (UDP)\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"udp\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"17\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Generic Routing Encapsulation (GRE)\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"gre\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"47\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Encap Security Payload (ESP)\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"esp\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"50\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Authentication Header (AH)\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"ah\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"51\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Stream Control Transmission Protocol (SCTP)\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"sctp\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"132\"}]}]]}]]}]]}]]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[[\"$\",\"p\",null,{\"children\":[\"Notes about the \",[\"$\",\"code\",null,{\"children\":\"proto\"}],\" field:\"]}],[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[\"You must use Tailscale version v1.18.2 or later to use the \",[\"$\",\"code\",null,{\"children\":\"proto\"}],\" field. Earlier versions of Tailscale will fail and block access rules with protocols.\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":\"If traffic is allowed for a given pair of IP addresses, then ICMP will also be allowed.\"}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"Only TCP, UDP, and SCTP traffic support specifying ports. All other protocols only support \",[\"$\",\"code\",null,{\"children\":\"*\"}],\" as the protocol port.\"]}],\"\\n\"]}]]]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"dst\",\"children\":[\"$\",\"code\",null,{\"children\":\"dst\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"dst\"}],\" field specifies a list of destinations to which the rule applies. Each element in the list specifies a \",[\"$\",\"code\",null,{\"children\":\"host\"}],\" and one or more \",[\"$\",\"code\",null,{\"children\":\"ports\"}],\" in the format \",[\"$\",\"code\",null,{\"children\":\"\u003chost\u003e:\u003cports\u003e\"}],\".\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"host\"}],\" can be any of the following types:\"]}],\"\\n\",[\"$\",\"table\",null,{\"className\":\"w-full\",\"children\":[[\"$\",\"thead\",null,{\"children\":[\"$\",\"tr\",null,{\"children\":[[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Type\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Example\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Description\"}]}]]}]}],[\"$\",\"tbody\",null,{\"className\":\"fs-small\",\"children\":[[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Any\"}],[\"$\",\"td\",null,{\"children\":\"*\"}],[\"$\",\"td\",null,{\"children\":\"Includes any destination (no restrictions).\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"User\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"shreya@example.com\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes any device currently signed in as the provided user.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#groups\",\"children\":\"Group\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"group:\u003cgroup-name\u003e\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes all users in the provided group.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Tailscale IP address\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"100.101.102.103\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes only the device that owns the provided Tailscale IP address.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#hosts\",\"children\":\"Hosts\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"example-host-name\"}]}],[\"$\",\"td\",null,{\"children\":[\"Includes the Tailscale IP address in the \",[\"$\",\"a\",null,{\"href\":\"#hosts\",\"children\":[[\"$\",\"code\",null,{\"children\":\"hosts\"}],\" section\"]}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[[\"$\",\"a\",null,{\"href\":\"/kb/1019/subnets\",\"children\":\"Subnet\"}],\" CIDR Range\"]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"192.168.1.0/24\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes any IP address within the given subnet.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"/kb/1068/tags\",\"children\":\"Tags\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"tag:\u003ctag-name\u003e\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes any device with the provided tag.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"Internet access through an \",[\"$\",\"a\",null,{\"href\":\"/kb/1103/exit-nodes\",\"children\":\"exit node\"}]]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:internet\"}]}],[\"$\",\"td\",null,{\"children\":[\"Includes devices with access to the internet through \",[\"$\",\"a\",null,{\"href\":\"/kb/1103/exit-nodes\",\"children\":\"exit nodes.\"}]]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Own devices\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:self\"}]}],[\"$\",\"td\",null,{\"children\":[\"Includes devices where the same user is authenticated on both the \",[\"$\",\"code\",null,{\"children\":\"src\"}],\" and the \",[\"$\",\"code\",null,{\"children\":\"dst\"}],\". This does not include devices for which the user has \",[\"$\",\"a\",null,{\"href\":\"/kb/1068/tags/\",\"children\":\"tags\"}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Tailnet devices\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:member\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes devices in the tailnet where the user is a direct member (not a shared user) of the tailnet.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Admin devices\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:admin\"}]}],[\"$\",\"td\",null,{\"children\":[\"Includes devices where the user is an \",[\"$\",\"a\",null,{\"href\":\"/kb/1138/user-roles/#admin\",\"children\":\"Admin\"}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Network admin devices\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:network-admin\"}]}],[\"$\",\"td\",null,{\"children\":[\"Includes devices where the user is a \",[\"$\",\"a\",null,{\"href\":\"/kb/1138/user-roles/#network-admin\",\"children\":\"Network admin\"}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"IT admin devices\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:it-admin\"}]}],[\"$\",\"td\",null,{\"children\":[\"Includes to devices where the user is an \",[\"$\",\"a\",null,{\"href\":\"/kb/1138/user-roles/#it-admin\",\"children\":\"IT admin\"}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Billing admin devices\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:billing-admin\"}]}],[\"$\",\"td\",null,{\"children\":[\"Includes devices where the user is a \",[\"$\",\"a\",null,{\"href\":\"/kb/1138/user-roles/#billing-admin\",\"children\":\"Billing admin\"}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Auditor devices\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:auditor\"}]}],[\"$\",\"td\",null,{\"children\":[\"Includes devices where the user is an \",[\"$\",\"a\",null,{\"href\":\"/kb/1138/user-roles/#auditor\",\"children\":\"Auditor\"}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Owner devices\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:owner\"}]}],[\"$\",\"td\",null,{\"children\":[\"Includes devices where the user is the tailnet \",[\"$\",\"a\",null,{\"href\":\"/kb/1138/user-roles/#owner\",\"children\":\"Owner\"}],\".\"]}]]}]]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"ports\"}],\" field can be any of the following types:\"]}],\"\\n\",[\"$\",\"table\",null,{\"className\":\"w-full\",\"children\":[[\"$\",\"thead\",null,{\"children\":[\"$\",\"tr\",null,{\"children\":[[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Type\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Description\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Example\"}]}]]}]}],[\"$\",\"tbody\",null,{\"className\":\"fs-small\",\"children\":[[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Any\"}],[\"$\",\"td\",null,{\"children\":\"Includes any port number.\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"*\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Single\"}],[\"$\",\"td\",null,{\"children\":\"Includes a single port number.\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"22\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Multiple\"}],[\"$\",\"td\",null,{\"children\":\"Includes two or more port numbers separated by commas.\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"80,443\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Range\"}],[\"$\",\"td\",null,{\"children\":\"Includes a range of port numbers.\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"1000-2000\"}]}]]}]]}]]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"subnet-routers-and-exit-nodes\",\"children\":\"Subnet routers and exit nodes\",\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"ACLs don't limit the discovery of routes. If a device is a \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1019/subnets\",\"children\":\"subnet router\"}],\", you can restrict access to it independently from the subnet. If a device is an \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1103/exit-nodes\",\"children\":\"exit node\"}],\", you can restrict access to it independently from its public IP address.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"To restrict access to a subnet, ensure that no ACL allows access to those routes. You can enforce this with a test that fails if any rule accidentally allows access. The following example demonstrates a test that fails if \",[\"$\",\"code\",null,{\"children\":\"not-allowed@example.com\"}],\" is allowed access to \",[\"$\",\"code\",null,{\"children\":\"198.51.100.7:22\"}],\".\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"tests\\\": [\\n {\\n \\\"src\\\": \\\"not-allowed@example.com\\\",\\n \\\"accept\\\": [\\\"192.0.2.100:22\\\"], // allow access to the tailscale IP\\n \\\"deny\\\": [\\\"198.51.100.7:22\\\"], // does not allow access to the subnet\\n }\\n],\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"tests\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-7\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token string\",\"children\":[\"\\\"not-allowed@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token property\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-14\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-17\",{\"className\":\"token string\",\"children\":[\"\\\"192.0.2.100:22\\\"\"]}],[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token comment\",\"children\":[\"// allow access to the tailscale IP\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-23\",{\"className\":\"token property\",\"children\":[\"\\\"deny\\\"\"]}],[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-26\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token string\",\"children\":[\"\\\"198.51.100.7:22\\\"\"]}],[\"$\",\"span\",\"fract-0-28\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-29\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-31\",{\"className\":\"token comment\",\"children\":[\"// does not allow access to the subnet\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-33\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-35\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-36\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Only devices with access to \",[\"$\",\"code\",null,{\"children\":\"autogroup:internet\"}],\" can use exit nodes. All other devices (without access to \",[\"$\",\"code\",null,{\"children\":\"autogroup:internet\"}],\") cannot use exit nodes. You can enforce this with a test that fails if any rule accidentally allows access to a public address. The following example test fails if \",[\"$\",\"code\",null,{\"children\":\"not-allowed@example.com\"}],\" can access \",[\"$\",\"code\",null,{\"children\":\"198.51.100.8:22\"}],\".\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"tests\\\": [\\n {\\n \\\"src\\\": \\\"not-allowed@example.com\\\",\\n \\\"accept\\\": [\\\"192.0.2.100:22\\\"], // allow access to the tailscale IP\\n \\\"deny\\\": [\\\"198.51.100.8:22\\\"], // does not allow access to a public IP\\n }\\n],\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"tests\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-7\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token string\",\"children\":[\"\\\"not-allowed@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token property\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-14\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-17\",{\"className\":\"token string\",\"children\":[\"\\\"192.0.2.100:22\\\"\"]}],[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token comment\",\"children\":[\"// allow access to the tailscale IP\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-23\",{\"className\":\"token property\",\"children\":[\"\\\"deny\\\"\"]}],[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-26\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token string\",\"children\":[\"\\\"198.51.100.8:22\\\"\"]}],[\"$\",\"span\",\"fract-0-28\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-29\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-31\",{\"className\":\"token comment\",\"children\":[\"// does not allow access to a public IP\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-33\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-35\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-36\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"You cannot restrict the use of specific exit nodes using ACLs. Refer to \",[\"$\",\"a\",null,{\"href\":\"https://github.com/tailscale/tailscale/issues/1567\",\"children\":\"issue #1567\"}],\" for updates.\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"taildrop-precedence\",\"children\":\"Taildrop precedence\",\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"Taildrop permits you to share files between devices you're logged in to, even if you use ACLs to restrict access.\"}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"grants\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"grants\",\"children\":\"Grants\",\"level\":2}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"Grants\",\" \",\"are\",\" currently\",\" \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1167/release-stages#beta\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":[\"in \",\"\",\"beta\"]}],\".\",\"$undefined\"]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Grants are a new, more powerful approach to access control. They let you do everything you can with ACLs, plus more. When communicating with a destination device, you can grant \",[\"$\",\"a\",null,{\"href\":\"https://en.wikipedia.org/wiki/Application_layer\",\"children\":\"application layer\"}],\" capabilities to a set of devices or users. You can also continue to define traditional \",[\"$\",\"a\",null,{\"href\":\"https://en.wikipedia.org/wiki/Network_layer\",\"children\":\"network layer\"}],\" capabilities. For example, you can use a grant rule to give a group of users access to port \",[\"$\",\"code\",null,{\"children\":\"8443\"}],\" on a server, \",[\"$\",\"em\",null,{\"children\":\"and\"}],\" define the files they can edit on that server.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The grants system combines network layer and application layer capabilities into a shared syntax. As a result, it offers enhanced flexibility and fine-grained control over resource access. Each grant only requires a source and a destination. Because Tailscale takes a deny-by-default approach, each grant has an implied \",[\"$\",\"em\",null,{\"children\":\"accept\"}],\" action.\"]}],\"\\n\",[\"$\",\"br\",null,{}],\"\\n\",\"$L2e9\",\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"reference-users\",\"children\":\"Reference users\",\"level\":2}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"Users\",\" \",\"are\",\" available for \",[\"$\",\"$L16\",null,{\"href\":\"/pricing\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"the Personal, Personal Plus, Premium, and Enterprise plans\"}],\".\"]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"You can specify users in an access rule's source (\",[\"$\",\"code\",null,{\"children\":\"src\"}],\") and destination (\",[\"$\",\"code\",null,{\"children\":\"dst\"}],\") fields. To specify a user, use one of the following formats (depending on how the user signs into Tailscale):\"]}],\"\\n\",[\"$\",\"table\",null,{\"children\":[[\"$\",\"thead\",null,{\"children\":[\"$\",\"tr\",null,{\"children\":[[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Format\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Description\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Example\"}]}]]}]}],[\"$\",\"tbody\",null,{\"children\":[[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"username@example.com\"}]}],[\"$\",\"td\",null,{\"children\":\"Use if the user signs into Tailscale with an email address.\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"alice@example.com\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"username@github\"}]}],[\"$\",\"td\",null,{\"children\":\"Use if the user signs into Tailscale with a GitHub account.\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"alice@github\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"username@passkey\"}]}],[\"$\",\"td\",null,{\"children\":\"Use if the user signs into Tailscale with a Passkey.\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"alice@passkey\"}]}]]}]]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"You can use groups to reference sets of users. Groups let you define role-based access controls. There are multiple types of groups:\"}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":\"Auto groups that reference all users with the same property.\"}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"Groups defined in the \",[\"$\",\"code\",null,{\"children\":\"groups\"}],\" section of the tailnet policy file as a specific list of users.\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":\"Groups provisioned in the identity provider and synced through user and group provisioning.\"}],\"\\n\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"autogroups\",\"children\":\"Autogroups\",\"level\":2}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"Autogroups\",\" \",\"are\",\" available for \",[\"$\",\"$L16\",null,{\"href\":\"/pricing\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"all plans\"}],\".\"]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"An \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1396/targets#autogroups\",\"children\":\"autogroup\"}],\" is a special group that automatically includes users, destinations, or usernames with the same properties.\"]}],\"\\n\",[\"$\",\"table\",null,{\"className\":\"w-full\",\"children\":[[\"$\",\"thead\",null,{\"children\":[\"$\",\"tr\",null,{\"children\":[[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Allowed\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Autogroup\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Description\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Availability by plan\"}]}]]}]}],[\"$\",\"tbody\",null,{\"className\":\"fs-small\",\"children\":[[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"rowspan\":\"2\",\"children\":[\"As a \",[\"$\",\"code\",null,{\"children\":\"dst\"}]]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:internet\"}]}],[\"$\",\"td\",null,{\"children\":[\"Use to allow access for any user through \",[\"$\",\"i\",null,{\"children\":\"any\"}],\" \",[\"$\",\"a\",null,{\"href\":\"/kb/1103/exit-nodes\",\"children\":\"exit node\"}],\" in your tailnet.\"]}],[\"$\",\"td\",null,{\"rowspan\":\"2\",\"children\":[\"Available on \",[\"$\",\"a\",null,{\"href\":\"/pricing\",\"children\":\"all plans\"}]]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:self\"}]}],[\"$\",\"td\",null,{\"children\":\"Use to allow access for any user that is authenticated as the same user as the source. Does not apply to tags.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"rowspan\":\"9\",\"children\":[\"As a \",[\"$\",\"code\",null,{\"children\":\"src\"}],\" or \",[\"$\",\"code\",null,{\"children\":\"dst\"}],\", \",[\"$\",\"code\",null,{\"children\":\"tagOwner\"}],\", or \",[\"$\",\"code\",null,{\"children\":\"autoApprover\"}]]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:owner\"}]}],[\"$\",\"td\",null,{\"children\":[\"Use to allow access for the tailnet \",[\"$\",\"a\",null,{\"href\":\"/kb/1138/user-roles/#owner\",\"children\":\"Owner\"}],\".\"]}],[\"$\",\"td\",null,{\"rowspan\":\"4\",\"children\":[\"Available on \",[\"$\",\"a\",null,{\"href\":\"/pricing\",\"children\":\"all plans\"}]]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:admin\"}]}],[\"$\",\"td\",null,{\"children\":[\"Use to allow access for any user who has the role of \",[\"$\",\"a\",null,{\"href\":\"/kb/1138/user-roles/#admin\",\"children\":\"Admin\"}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:member\"}]}],[\"$\",\"td\",null,{\"children\":\"Use to allow access for any user who is a direct member (including all invited users) of the tailnet. Does not include users from shared devices.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:tagged\"}]}],[\"$\",\"td\",null,{\"children\":[\"Use to allow access for any device that is \",[\"$\",\"a\",null,{\"href\":\"/kb/1068/tags/\",\"children\":\"tagged\"}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:auditor\"}]}],[\"$\",\"td\",null,{\"children\":[\"Use to allow access for any user who has the role of \",[\"$\",\"a\",null,{\"href\":\"/kb/1138/user-roles/#auditor\",\"children\":\"Auditor\"}],\".\"]}],[\"$\",\"td\",null,{\"rowspan\":\"4\",\"children\":[\"Available on \",[\"$\",\"a\",null,{\"href\":\"/pricing\",\"children\":\"the Personal, Personal Plus, Premium, and Enterprise plans\"}]]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:billing-admin\"}]}],[\"$\",\"td\",null,{\"children\":[\"Use to allow access for any user who has the role of \",[\"$\",\"a\",null,{\"href\":\"/kb/1138/user-roles/#billing-admin\",\"children\":\"Billing admin\"}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:it-admin\"}]}],[\"$\",\"td\",null,{\"children\":[\"Use to allow access for any user who has the role of \",[\"$\",\"a\",null,{\"href\":\"/kb/1138/user-roles/#it-admin\",\"children\":\"IT admin\"}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:network-admin\"}]}],[\"$\",\"td\",null,{\"children\":[\"Use to allow access for any user who has the role of \",[\"$\",\"a\",null,{\"href\":\"/kb/1138/user-roles/#network-admin\",\"children\":\"Network admin\"}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"user:*@\u003cdomain\u003e\"}]}],[\"$\",\"td\",null,{\"children\":\"Use to allow access for any user whose login is in the specified domain and who is a direct member (including all invited users) of the tailnet. Does not include users from shared devices.\"}],[\"$\",\"td\",null,{\"children\":[\"Available on \",[\"$\",\"a\",null,{\"href\":\"/pricing\",\"children\":\"the Starter, Premium, and Enterprise plans\"}]]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"As a \",[\"$\",\"code\",null,{\"children\":\"src\"}]]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:shared\"}]}],[\"$\",\"td\",null,{\"children\":[\"Use to allow access for any user who accepted a \",[\"$\",\"a\",null,{\"href\":\"/kb/1084/sharing\",\"children\":\"sharing\"}],\" invitation to your network. This lets you write rules without knowing the email addresses in advance.\"]}],[\"$\",\"td\",null,{\"children\":[\"Available on \",[\"$\",\"a\",null,{\"href\":\"/pricing\",\"children\":\"all plans\"}]]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"rowspan\":\"2\",\"children\":[\"As an \",[\"$\",\"a\",null,{\"href\":\"/kb/1337/acl-syntax/#ssh\",\"children\":\"SSH\"}],\" user\"]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"autogroup:nonroot\"}]}],[\"$\",\"td\",null,{\"children\":[\"Use to allow \",[\"$\",\"a\",null,{\"href\":\"/kb/1193/tailscale-ssh/\",\"children\":\"Tailscale SSH\"}],\" access to any user that is not \",[\"$\",\"code\",null,{\"children\":\"root\"}],\".\"]}],[\"$\",\"td\",null,{\"children\":[\"Available on \",[\"$\",\"a\",null,{\"href\":\"/pricing\",\"children\":\"the Personal, Personal Plus, Premium, and Enterprise plans\"}]]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"localpart:*@\u003cdomain\u003e\"}]}],[\"$\",\"td\",null,{\"children\":[\"Use to allow \",[\"$\",\"a\",null,{\"href\":\"/kb/1193/tailscale-ssh/\",\"children\":\"Tailscale SSH\"}],\" access to the user whose name matches the \",[\"$\",\"a\",null,{\"href\":\"https://datatracker.ietf.org/doc/html/rfc2822#section-3.4.1\",\"children\":\"local-part\"}],\" of the user's login.\"]}],[\"$\",\"td\",null,{\"children\":[\"Available on \",[\"$\",\"a\",null,{\"href\":\"/pricing\",\"children\":\"the Premium and Enterprise plans\"}]]}]]}]]}]]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"$\",\"p\",null,{\"children\":[[\"$\",\"code\",null,{\"children\":\"autogroup:self\"}],\" only applies to user-owned devices. It does not apply to tagged devices. You cannot use \",[\"$\",\"code\",null,{\"children\":\"autogroup:self\"}],\" with \",[\"$\",\"code\",null,{\"children\":\"autogroup:tagged\"}],\".\"]}]]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"$\",\"p\",null,{\"children\":[\"The legacy autogroup \",[\"$\",\"code\",null,{\"children\":\"autogroup:members\"}],\" will continue to work, but it's best practice to use \",[\"$\",\"code\",null,{\"children\":\"autogroup:member\"}],\" instead. You cannot use both \",[\"$\",\"code\",null,{\"children\":\"autogroup:member\"}],\" and \",[\"$\",\"code\",null,{\"children\":\"autogroup:members\"}],\" in the same tailnet policy file.\"]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The following example \",[\"$\",\"a\",null,{\"href\":\"#ssh\",\"children\":[[\"$\",\"code\",null,{\"children\":\"ssh\"}],\" rule\"]}],\" allows all users Tailscale SSH access to devices they own (as non-root):\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"ssh\\\": [\\n {\\n // All users can SSH to their own devices, as non-root\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [\\\"autogroup:member\\\"],\\n \\\"dst\\\": [\\\"autogroup:self\\\"],\\n \\\"users\\\": [\\\"autogroup:nonroot\\\"]\\n },\\n]\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"ssh\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-7\",{\"className\":\"token comment\",\"children\":[\"// All users can SSH to their own devices, as non-root\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-9\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-12\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-15\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:member\\\"\"]}],[\"$\",\"span\",\"fract-0-20\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-23\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-26\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:self\\\"\"]}],[\"$\",\"span\",\"fract-0-28\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-29\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-31\",{\"className\":\"token property\",\"children\":[\"\\\"users\\\"\"]}],[\"$\",\"span\",\"fract-0-32\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-34\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-35\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:nonroot\\\"\"]}],[\"$\",\"span\",\"fract-0-36\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-38\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-39\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-41\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"p\",null,{\"className\":\"ts-prose\",\"children\":[\"In the default ACL, the \",[\"$\",\"code\",null,{\"children\":\"ssh\"}],\" rule uses \",[\"$\",\"code\",null,{\"children\":\"autogroup:self\"}],\" for the \",[\"$\",\"code\",null,{\"children\":\"dst\"}],\" field and\",[\"$\",\"code\",null,{\"children\":\"autogroup:nonroot\"}],\" in the \",[\"$\",\"code\",null,{\"children\":\"users\"}],\" field. If you change the \",[\"$\",\"code\",null,{\"children\":\"dst\"}],\" field from\",[\"$\",\"code\",null,{\"children\":\"autogroup:self\"}],\" to some other destination, such as an \",[\"$\",\"a\",null,{\"href\":\"https://tailscale.com/kb/1068/acl-tags/\",\"children\":\"ACL tag\"}],\", also consider replacing\",\" \",[\"$\",\"code\",null,{\"children\":\"autogroup:nonroot\"}],\" in the \",[\"$\",\"code\",null,{\"children\":\"users\"}],\" field. If you don't remove\",[\"$\",\"code\",null,{\"children\":\"autogroup:nonroot\"}],\" from the \",[\"$\",\"code\",null,{\"children\":\"users\"}],\" field, then anyone permitted by the \",[\"$\",\"code\",null,{\"children\":\"src\"}],\" setting will be able to SSH in as any nonroot user on the \",[\"$\",\"code\",null,{\"children\":\"dst\"}],\" device.\"]}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"domainbased\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"domain-based-autogroups\",\"children\":\"Domain based autogroups\",\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Some autogroups include a specific domain name. For example, \",[\"$\",\"code\",null,{\"children\":\"user:*@example.com\"}],\" or \",[\"$\",\"code\",null,{\"children\":\"localpart:*@example.com\"}],\". These autogroups include users who are both members of the tailnet and whose login is in the autogroup domain. For example, if the tailnet \",[\"$\",\"code\",null,{\"children\":\"example.com\"}],\" uses the autogroup \",[\"$\",\"code\",null,{\"children\":\"user:*@altostrat.com\"}],\", this group includes all members of the \",[\"$\",\"code\",null,{\"children\":\"example.com\"}],\" tailnet who log in as a user at \",[\"$\",\"code\",null,{\"children\":\"@altostrat.com\"}],\" (such as \",[\"$\",\"code\",null,{\"children\":\"laura@altostrat.com\"}],\").\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"The following restrictions apply to the domains used in autogroups:\"}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[\"The provided domain must not be a known shared domain (such as \",[\"$\",\"code\",null,{\"children\":\"gmail.com\"}],\").\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"If a tailnet uses domain aliases, you must explicitly specify the aliased domains in the ACL. For example, if \",[\"$\",\"code\",null,{\"children\":\"example.io\"}],\" is aliased to \",[\"$\",\"code\",null,{\"children\":\"example.com\"}],\" and you want to include users from both \",[\"$\",\"code\",null,{\"children\":\"example.com\"}],\" and \",[\"$\",\"code\",null,{\"children\":\"example.io\"}],\", use both \",[\"$\",\"code\",null,{\"children\":\"user:*@example.com\"}],\" and \",[\"$\",\"code\",null,{\"children\":\"user:*@example.io\"}],\".\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"Although the expressions use the wildcard \",[\"$\",\"code\",null,{\"children\":\"*\"}],\", it does not support arbitrary wildcards. For example, \",[\"$\",\"code\",null,{\"children\":\"user:b*b@example.com\"}],\" will not match \",[\"$\",\"code\",null,{\"children\":\"bob@example.com\"}],\".\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"groups\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"groups\",\"children\":\"Groups\",\"level\":2}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"Groups\",\" \",\"are\",\" available for \",[\"$\",\"$L16\",null,{\"href\":\"/pricing\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"the Personal, Personal Plus, Premium, and Enterprise plans\"}],\".\"]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"groups\"}],\" section lets you create groups of users, which you can use in access rules (instead of listing users out explicitly). Any change you make to the membership of a group propagates to all the rules that reference that group.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The following example demonstrates creating an \",[\"$\",\"code\",null,{\"children\":\"engineering\"}],\" group and a \",[\"$\",\"code\",null,{\"children\":\"sales\"}],\" group.\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"groups\\\": {\\n \\\"group:engineering\\\": [\\n \\\"dave@example.com\\\",\\n \\\"laura@example.com\\\",\\n ],\\n \\\"group:sales\\\": [\\n \\\"brad@example.com\\\",\\n \\\"alice@example.com\\\",\\n ],\\n},\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"groups\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token property\",\"children\":[\"\\\"group:engineering\\\"\"]}],[\"$\",\"span\",\"fract-0-6\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token string\",\"children\":[\"\\\"dave@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token string\",\"children\":[\"\\\"laura@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-14\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-17\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token property\",\"children\":[\"\\\"group:sales\\\"\"]}],[\"$\",\"span\",\"fract-0-20\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-22\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token string\",\"children\":[\"\\\"brad@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-25\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token string\",\"children\":[\"\\\"alice@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-28\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-30\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-31\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-33\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-34\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Every group name must start with the prefix \",[\"$\",\"code\",null,{\"children\":\"group:\"}],\". Each group member is specified by their full email address, as explained in the \",[\"$\",\"a\",null,{\"href\":\"#reference-users\",\"children\":\"users section\"}],\" above. To avoid the risk of obfuscating group membership, groups cannot contain other groups.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"You can add or remove a user's group membership by editing the tailnet policy file, as shown in the example \",[\"$\",\"code\",null,{\"children\":\"groups\"}],\" definition above, and directly from the \",[\"$\",\"a\",null,{\"href\":\"https://login.tailscale.com/admin/users\",\"children\":[\"$\",\"strong\",null,{\"children\":\"Users\"}]}],\" page of the admin console.\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"edit-a-users-group-membership-from-the-users-page\",\"children\":\"Edit a user's group membership from the Users page\",\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"You must be an \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1138/user-roles/\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"Owner, Admin, or Network admin\"}],\" to edit a user's group membership from the \",[\"$\",\"strong\",null,{\"children\":\"Users\"}],\" page.\"]}],\"\\n\",[\"$\",\"ol\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[\"Open the \",[\"$\",\"a\",null,{\"href\":\"https://login.tailscale.com/admin/users\",\"children\":[\"$\",\"strong\",null,{\"children\":\"Users\"}]}],\" page in the admin console.\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":\"Find the user by name.\"}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"Select the \",[\"$\",\"$L2ea\",null,{\"className\":\"fa-icon !text-gray-400\",\"alt\":\"ellipsis icon\",\"src\":\"/files/images/icons/fa-ellipsis-h.svg\",\"height\":24,\"width\":24}],\" menu \u003e \",[\"$\",\"strong\",null,{\"children\":\"Edit group membership\"}],\".\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"In the \",[\"$\",\"strong\",null,{\"children\":\"Edit group membership\"}],\" dialog:\",\"\\n\",[\"$\",\"ol\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[\"To add a group, select \",[\"$\",\"strong\",null,{\"children\":\"Add to a group\"}],\", then the group to add.\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"To remove a group, select the \",[\"$\",\"strong\",null,{\"children\":\"X\"}],\" next to the group to delete.\"]}],\"\\n\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"When you finish editing the groups for the user, select \",[\"$\",\"strong\",null,{\"children\":\"Save\"}],\".\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"provisioned-groups\",\"children\":\"Provisioned groups\",\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"You can create groups in your identity provider and sync them with Tailscale's ACLs with \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1290/user-group-provisioning#syncing-group-membership\",\"children\":\"user and group provisioning\"}],\".\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"You can use the same human-readable group names in your identity provider to refer to groups in your tailnet policy file. The following example shows an access rule that manages access for the “security-team” group.\"}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"{\\n \\\"acls\\\": [\\n {\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [\\\"group:security-team@example.com\\\"],\\n \\\"dst\\\": [\\\"tag:logging:*\\\"]\\n }\\n ],\\n \\\"tagOwners\\\": {\\n \\\"tag:logging\\\": [\\\"group:security-team@example.com\\\"]\\n }\\n}\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-2\",{\"className\":\"token property\",\"children\":[\"\\\"acls\\\"\"]}],[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-7\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-9\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-12\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-15\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token string\",\"children\":[\"\\\"group:security-team@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-20\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-23\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-26\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token string\",\"children\":[\"\\\"tag:logging:*\\\"\"]}],[\"$\",\"span\",\"fract-0-28\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-30\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-32\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-33\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-35\",{\"className\":\"token property\",\"children\":[\"\\\"tagOwners\\\"\"]}],[\"$\",\"span\",\"fract-0-36\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-38\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-40\",{\"className\":\"token property\",\"children\":[\"\\\"tag:logging\\\"\"]}],[\"$\",\"span\",\"fract-0-41\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-43\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-44\",{\"className\":\"token string\",\"children\":[\"\\\"group:security-team@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-45\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-47\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-49\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"You can only edit groups defined in ACLs. You can use groups synced from a System for Cross-domain Identity Management (SCIM) integration or tailnet autogroups, but you cannot edit them.\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"reference-multiple-devices\",\"children\":\"Reference multiple devices\",\"level\":2}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"You can define access rules for sets of devices using tags or hosts. Tags let you define role-based access controls so that different services have different access rules. Hosts let you define controls based on a reference to an IP address.\"}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":\"Tags reference groups of non-user devices (such as applications or servers). For example, you might have a tag that groups all servers in a particular data center.\"}],\"\\n\",[\"$\",\"li\",null,{\"children\":\"Hosts reference groups of devices by IP address ranges (both on and beyond the tailnet). For example, you can use hosts to address applications with fixed IP addresses that you might be unable to modify.\"}],\"\\n\"]}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"tags\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"tags\",\"children\":\"Tags\",\"level\":3}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"Tags\",\" \",\"are\",\" available for \",[\"$\",\"$L16\",null,{\"href\":\"/pricing\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"all plans\"}],\".\"]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"tags\"}],\" section of the tailnet policy file lets you create \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1068/tags\",\"children\":\"tags\"}],\" that group non-human devices. You can then use the tags to select these devices in an ACL.\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"$\",\"p\",null,{\"children\":[\"You must \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1068/tags#define-a-tag\",\"children\":\"define the tag\"}],\" in the \",[\"$\",\"a\",null,{\"href\":\"#tag-owners\",\"children\":[\"$\",\"code\",null,{\"children\":\"tagOwners\"}]}],\" section of the tailnet policy file before using it in an ACL. To tag a device, \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1068/tags#apply-a-tag-to-a-device\",\"children\":\"authenticate as the tag on the device\"}],\".\"]}]]}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"hosts\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"hosts\",\"children\":\"Hosts\",\"level\":3}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"Hosts\",\" \",\"are\",\" available for \",[\"$\",\"$L16\",null,{\"href\":\"/pricing\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"all plans\"}],\".\"]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"hosts\"}],\" section lets you define a human-friendly name for an IP address or CIDR range.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"The following example shows two host definitions: one for a single IP address and one for a CIDR range.\"}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"hosts\\\": {\\n \\\"example-host-1\\\": \\\"198.51.100.100\\\",\\n \\\"example-network-1\\\": \\\"198.51.100.0/24\\\",\\n},\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"hosts\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token property\",\"children\":[\"\\\"example-host-1\\\"\"]}],[\"$\",\"span\",\"fract-0-6\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token string\",\"children\":[\"\\\"198.51.100.100\\\"\"]}],[\"$\",\"span\",\"fract-0-9\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token property\",\"children\":[\"\\\"example-network-1\\\"\"]}],[\"$\",\"span\",\"fract-0-12\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-14\",{\"className\":\"token string\",\"children\":[\"\\\"198.51.100.0/24\\\"\"]}],[\"$\",\"span\",\"fract-0-15\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-17\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"$\",\"p\",null,{\"children\":[\"The human-friendly hostname cannot include the character \",[\"$\",\"code\",null,{\"children\":\"@\"}],\".\"]}]]}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"postures\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"postures\",\"children\":\"Postures\",\"level\":2}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"Postures\",\" \",\"are\",\" available for \",[\"$\",\"$L16\",null,{\"href\":\"/pricing\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"all plans\"}],\".\"]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"postures\"}],\" section lets you define a set of \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1288/device-posture\",\"children\":\"device posture management\"}],\" rules that a device must meet as part of a specific access rule.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The following example shows how to use \",[\"$\",\"code\",null,{\"children\":\"postures\"}],\" to select macOS devices running \",[\"$\",\"code\",null,{\"children\":\"node\"}],\" version 1.40 or later.\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"postures\\\": {\\n \\\"posture:latestMac\\\": [\\n \\\"node:os IN ['macos']\\\",\\n \\\"node:tsReleaseTrack == 'stable'\\\",\\n \\\"node:tsVersion \u003e= '1.40'\\\",\\n ],\\n},\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"postures\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token property\",\"children\":[\"\\\"posture:latestMac\\\"\"]}],[\"$\",\"span\",\"fract-0-6\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token string\",\"children\":[\"\\\"node:os IN ['macos']\\\"\"]}],[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token string\",\"children\":[\"\\\"node:tsReleaseTrack == 'stable'\\\"\"]}],[\"$\",\"span\",\"fract-0-14\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token string\",\"children\":[\"\\\"node:tsVersion \u003e= '1.40'\\\"\"]}],[\"$\",\"span\",\"fract-0-17\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-20\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-22\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-23\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Each posture must start with the prefix \",[\"$\",\"code\",null,{\"children\":\"posture:\"}],\" followed by a name, a set of \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1288/device-posture#device-posture-attributes\",\"children\":\"posture attributes\"}],\", and their allowed values, given as a list of strings.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Refer to \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1288/device-posture\",\"children\":\"device posture management\"}],\" for more information\"]}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"tag-owners\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"tag-owners\",\"children\":\"Tag owners\",\"level\":2}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"Tags\",\" \",\"are\",\" available for \",[\"$\",\"$L16\",null,{\"href\":\"/pricing\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"all plans\"}],\".\"]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"tagOwners\"}],\" section of the tailnet policy file defines the tags assignable to devices and the list of users allowed to assign each tag.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The following example shows a \",[\"$\",\"code\",null,{\"children\":\"tagOwners\"}],\" definition that:\"]}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[\"Sets the \",[\"$\",\"code\",null,{\"children\":\"webserver\"}],\" tag as the owner of the \",[\"$\",\"code\",null,{\"children\":\"engineering\"}],\" group.\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"Sets the \",[\"$\",\"code\",null,{\"children\":\"secure-server\"}],\" tag as the owner of \",[\"$\",\"code\",null,{\"children\":\"president@example.com\"}],\" and the \",[\"$\",\"code\",null,{\"children\":\"security-admins\"}],\" group.\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"Sets the \",[\"$\",\"code\",null,{\"children\":\"corp\"}],\" tag as the owner of the \",[\"$\",\"code\",null,{\"children\":\"autogroup:member\"}],\" autogroup.\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"tagOwners\\\": {\\n \\\"tag:webserver\\\": [\\n \\\"group:engineering\\\",\\n ],\\n \\\"tag:secure-server\\\": [\\n \\\"group:security-admins\\\",\\n \\\"president@example.com\\\",\\n ],\\n \\\"tag:corp\\\": [\\n \\\"autogroup:member\\\",\\n ],\\n}\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"tagOwners\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token property\",\"children\":[\"\\\"tag:webserver\\\"\"]}],[\"$\",\"span\",\"fract-0-6\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token string\",\"children\":[\"\\\"group:engineering\\\"\"]}],[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-14\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token property\",\"children\":[\"\\\"tag:secure-server\\\"\"]}],[\"$\",\"span\",\"fract-0-17\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token string\",\"children\":[\"\\\"group:security-admins\\\"\"]}],[\"$\",\"span\",\"fract-0-22\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token string\",\"children\":[\"\\\"president@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-25\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-28\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-30\",{\"className\":\"token property\",\"children\":[\"\\\"tag:corp\\\"\"]}],[\"$\",\"span\",\"fract-0-31\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-33\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-35\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:member\\\"\"]}],[\"$\",\"span\",\"fract-0-36\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-38\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-39\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-41\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Every tag name must start with the prefix \",[\"$\",\"code\",null,{\"children\":\"tag:\"}],\". A tag owner can be a user's full login email address (as defined in the \",[\"$\",\"a\",null,{\"href\":\"#reference-users\",\"children\":\"users section\"}],\" above), a \",[\"$\",\"a\",null,{\"href\":\"#groups\",\"children\":\"group name\"}],\", an \",[\"$\",\"a\",null,{\"href\":\"#autogroups\",\"children\":\"autogroup\"}],\", or another tag.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"A shorthand notation, \",[\"$\",\"code\",null,{\"children\":\"[]\"}],\", is available for \",[\"$\",\"code\",null,{\"children\":\"autogroup:admin\"}],\". That is, the following are equivalent:\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"tag:monitoring\\\": [\\n \\\"autogroup:admin\\\",\\n],\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"tag:monitoring\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:admin\\\"\"]}],[\"$\",\"span\",\"fract-0-6\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-9\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"tag:monitoring\\\": [],\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"tag:monitoring\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-4\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The autogroups \",[\"$\",\"code\",null,{\"children\":\"autogroup:admin\"}],\" and \",[\"$\",\"code\",null,{\"children\":\"autogroup:network-admin\"}],\" can assign all tags, so \",[\"$\",\"code\",null,{\"children\":\"[]\"}],\" implicitly allows only \",[\"$\",\"code\",null,{\"children\":\"autogroup:admin\"}],\" and \",[\"$\",\"code\",null,{\"children\":\"autogroup:network-admin\"}],\".\"]}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"autoapprovers\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"auto-approvers\",\"children\":\"Auto approvers\",\"level\":2}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"Auto approvers\",\" \",\"are\",\" available for \",[\"$\",\"$L16\",null,{\"href\":\"/pricing\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"all plans\"}],\".\"]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"autoApprovers\"}],\" section of the tailnet policy file defines the list of users who can perform specific actions without further approval from the admin console. Some actions in Tailscale require double opt-in: an \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1138/user-roles/\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"Admin\"}],\" must enable them on the device running Tailscale and in the Tailscale admin console. These actions include:\"]}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[[\"$\",\"$L16\",null,{\"href\":\"/kb/1019/subnets/connect-to-tailscale-as-a-subnet-router\",\"children\":\"Advertising a specified set of routes\"}],\" as a subnet router.\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[[\"$\",\"$L16\",null,{\"href\":\"/kb/1103/exit-nodes/#advertise-a-device-as-an-exit-node\",\"children\":\"Advertising an exit node\"}],\".\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"For routes, this also permits the auto approvers to advertise a subnet of the specified routes.\"}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"Tailscale stops advertising a route if one of the following occurs:\"}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":\"The device is re-authenticated by a different user (who cannot advertise the route or exit node).\"}],\"\\n\",[\"$\",\"li\",null,{\"children\":\"The user who advertised the route is suspended or deleted.\"}],\"\\n\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"To avoid a scenario where Tailscale stops advertising a route, consider using a \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1068/tags\",\"children\":\"tag\"}],\" as an auto approver.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The following example shows an \",[\"$\",\"code\",null,{\"children\":\"autoApprovers\"}],\" definition that automatically approves the \",[\"$\",\"code\",null,{\"children\":\"192.0.2.0/24\"}],\" routes for \",[\"$\",\"code\",null,{\"children\":\"alice@example.com\"}],\", members of the \",[\"$\",\"code\",null,{\"children\":\"engineering\"}],\" group, and devices tagged with \",[\"$\",\"code\",null,{\"children\":\"foo\"}],\". It also automatically allows devices tagged with \",[\"$\",\"code\",null,{\"children\":\"foo\"}],\" to use an exit node.\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"autoApprovers\\\": {\\n \\\"routes\\\": {\\n \\\"192.0.2.0/24\\\": [\\\"group:engineering\\\", \\\"alice@example.com\\\", \\\"tag:foo\\\"],\\n },\\n \\\"exitNode\\\": [\\\"tag:bar\\\"],\\n}\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"autoApprovers\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token property\",\"children\":[\"\\\"routes\\\"\"]}],[\"$\",\"span\",\"fract-0-6\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token property\",\"children\":[\"\\\"192.0.2.0/24\\\"\"]}],[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-14\",{\"className\":\"token string\",\"children\":[\"\\\"group:engineering\\\"\"]}],[\"$\",\"span\",\"fract-0-15\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-17\",{\"className\":\"token string\",\"children\":[\"\\\"alice@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-20\",{\"className\":\"token string\",\"children\":[\"\\\"tag:foo\\\"\"]}],[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-22\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-25\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token property\",\"children\":[\"\\\"exitNode\\\"\"]}],[\"$\",\"span\",\"fract-0-28\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-30\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-31\",{\"className\":\"token string\",\"children\":[\"\\\"tag:bar\\\"\"]}],[\"$\",\"span\",\"fract-0-32\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-33\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-35\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The auto approver of a route or exit node can be a user's full login email address (as defined in the \",[\"$\",\"a\",null,{\"href\":\"#reference-users\",\"children\":\"users section\"}],\" above), a \",[\"$\",\"a\",null,{\"href\":\"#groups\",\"children\":\"group name\"}],\", an \",[\"$\",\"a\",null,{\"href\":\"#autogroups\",\"children\":\"autogroup\"}],\" or a tag.\"]}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"ssh\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"tailscale-ssh\",\"children\":\"Tailscale SSH\",\"level\":2}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"Tailscale SSH\",\" \",\"is\",\" available for \",[\"$\",\"$L16\",null,{\"href\":\"/pricing\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"the Personal, Personal Plus, Premium, and Enterprise plans\"}],\".\"]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"ssh\"}],\" section of the tailnet policy file defines lists of users and devices that can use \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1193/tailscale-ssh\",\"children\":\"Tailscale SSH\"}],\" (and the SSH users). To allow a connection, the tailnet policy file must contain rules permitting both network access and SSH access:\"]}],\"\\n\",[\"$\",\"ol\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":\"An access rule to allow connections from the source to the destination on port 22.\"}],\"\\n\",[\"$\",\"li\",null,{\"children\":\"An SSH access rule to allow connections from the source to the destination and the given SSH users. Tailscale SSH uses this to distribute keys to authenticating SSH connections.\"}],\"\\n\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The following example shows an \",[\"$\",\"code\",null,{\"children\":\"ssh\"}],\" definition that requires a list of sources, destinations, and SSH users to re-authenticate every 20 hours.\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"{\\n \\\"action\\\": \\\"check\\\", // \\\"accept\\\" or \\\"check\\\"\\n \\\"src\\\": [ \u003clist-of-sources\u003e ],\\n \\\"dst\\\": [ \u003clist-of-destinations\u003e ],\\n \\\"users\\\": [ \u003clist-of-ssh-users\u003e ],\\n \\\"checkPeriod\\\": \\\"20h\\\", // optional, only for check actions. default 12h\\n \\\"acceptEnv\\\": [ \\\"GIT_EDITOR\\\", \\\"GIT_COMMITTER_*\\\", \\\"CUSTOM_VAR_V?\\\" ] // optional, allowlists environment variables that can be forwarded from clients to the host\\n},\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-2\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token string\",\"children\":[\"\\\"check\\\"\"]}],[\"$\",\"span\",\"fract-0-6\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token comment\",\"children\":[\"// \\\"accept\\\" or \\\"check\\\"\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\" \u003clist-of-sources\u003e \",[\"$\",\"span\",\"fract-0-15\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\" \u003clist-of-destinations\u003e \",[\"$\",\"span\",\"fract-0-23\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-26\",{\"className\":\"token property\",\"children\":[\"\\\"users\\\"\"]}],[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-29\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\" \u003clist-of-ssh-users\u003e \",[\"$\",\"span\",\"fract-0-31\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-32\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-34\",{\"className\":\"token property\",\"children\":[\"\\\"checkPeriod\\\"\"]}],[\"$\",\"span\",\"fract-0-35\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-37\",{\"className\":\"token string\",\"children\":[\"\\\"20h\\\"\"]}],[\"$\",\"span\",\"fract-0-38\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-40\",{\"className\":\"token comment\",\"children\":[\"// optional, only for check actions. default 12h\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-42\",{\"className\":\"token property\",\"children\":[\"\\\"acceptEnv\\\"\"]}],[\"$\",\"span\",\"fract-0-43\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-45\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\" \",[\"$\",\"span\",\"fract-0-47\",{\"className\":\"token string\",\"children\":[\"\\\"GIT_EDITOR\\\"\"]}],[\"$\",\"span\",\"fract-0-48\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-50\",{\"className\":\"token string\",\"children\":[\"\\\"GIT_COMMITTER_*\\\"\"]}],[\"$\",\"span\",\"fract-0-51\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-53\",{\"className\":\"token string\",\"children\":[\"\\\"CUSTOM_VAR_V?\\\"\"]}],\" \",[\"$\",\"span\",\"fract-0-55\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\" \",[\"$\",\"span\",\"fract-0-57\",{\"className\":\"token comment\",\"children\":[\"// optional, allowlists environment variables that can be forwarded from clients to the host\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-59\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-60\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"action-1\",\"children\":[\"$\",\"code\",null,{\"children\":\"action\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"Specifies whether to accept the connection or to perform additional checks on it.\"}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[[\"$\",\"code\",null,{\"children\":\"accept\"}],\" accepts connections from users already authenticated in the tailnet.\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[[\"$\",\"code\",null,{\"children\":\"check\"}],\" requires users to periodically reauthenticate according to the \",[\"$\",\"code\",null,{\"children\":\"checkPeriod\"}],\".\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"src-1\",\"children\":[\"$\",\"code\",null,{\"children\":\"src\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Specifies the source (where a connection originates from). You can only define an access rule's destination (\",[\"$\",\"code\",null,{\"children\":\"dst\"}],\") as yourself, a group, a tag, or an autogroup. You cannot use \",[\"$\",\"code\",null,{\"children\":\"*\"}],\", other users, IP addresses, or hostnames.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"It's impossible to guarantee the ownership of an IP address or hostname when you create an access rule. As a security measure, Tailscale prevents using users, IP addresses, or hostnames in the \",[\"$\",\"code\",null,{\"children\":\"dst\"}],\" field of access rules to protect against scenarios in which one user can unintentionally access a device that doesn't belong to them. Tailscale also prevents any \",[\"$\",\"code\",null,{\"children\":\"src\"}],\" and \",[\"$\",\"code\",null,{\"children\":\"dst\"}],\" combinations that allow multiple users to access a single user's device.\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"$\",\"p\",null,{\"children\":[\"Granting access to \",[\"$\",\"code\",null,{\"children\":\"autogroup:members\"}],\" also allows access to \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1271/invite-any-user\",\"children\":\"external invited users\"}],\" if the destination device is \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1084/sharing\",\"children\":\"shared\"}],\" with them, even if they have no devices in your tailnet.\"]}]]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"dst-1\",\"children\":[\"$\",\"code\",null,{\"children\":\"dst\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Specifies the destination (where the connection goes). The destination can be a user, tag, or autogroup. Unlike ACLs, you cannot specify a port because only port \",[\"$\",\"code\",null,{\"children\":\"22\"}],\" is allowed. You cannot \",[\"$\",\"code\",null,{\"children\":\"*\"}],\" as the destination.\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"users\",\"children\":[\"$\",\"code\",null,{\"children\":\"users\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"Specifies the set of allowed usernames on the host. Tailscale only uses user accounts that already exist on the host.\"}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[\"Specify \",[\"$\",\"code\",null,{\"children\":\"autogroup:nonroot\"}],\" to allow any user that is not \",[\"$\",\"code\",null,{\"children\":\"root\"}],\".\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"Specify \",[\"$\",\"code\",null,{\"children\":\"localpart:*@\u003cdomain\u003e\"}],\" to allow the user on the host whose name matches the \",[\"$\",\"a\",null,{\"href\":\"https://datatracker.ietf.org/doc/html/rfc2822#section-3.4.1\",\"children\":\"local-part\"}],\" of the user's login, if and only if the user's login email is in \",[\"$\",\"code\",null,{\"children\":\"\u003cdomain\u003e\"}],\". Tailscale does not do any special processing on the local-part. For example, if the login is \",[\"$\",\"code\",null,{\"children\":\"dave+sshuser@example.com\"}],\", Tailscale will map this to the ssh user \",[\"$\",\"code\",null,{\"children\":\"dave+sshuser\"}],\".\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"If no user is specified, Tailscale will use the local host’s user. That is, if the user is logged in as \",[\"$\",\"code\",null,{\"children\":\"alice\"}],\" locally, then connects with SSH to another device, Tailscale SSH will try to log in as user \",[\"$\",\"code\",null,{\"children\":\"alice\"}],\".\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"checkperiod\",\"children\":[\"$\",\"code\",null,{\"children\":\"checkPeriod\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"When \",[\"$\",\"code\",null,{\"children\":\"action\"}],\" is \",[\"$\",\"code\",null,{\"children\":\"check\"}],\", \",[\"$\",\"code\",null,{\"children\":\"checkPeriod\"}],\" specifies the time period for which to allow a connection before requiring a check. You can specify the time in minutes or hours. The time must be at least one minute and at most 168 hours (one week).\"]}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":\"The default check period is 12 hours.\"}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"You can also specify \",[\"$\",\"code\",null,{\"children\":\"always\"}],\" to require a check on every connection. Using \",[\"$\",\"code\",null,{\"children\":\"always\"}],\" might cause unexpected behavior with automation tools that open many SSH connections in quick succession (such as \",[\"$\",\"a\",null,{\"href\":\"https://ansible.com\",\"children\":\"Ansible\"}],\").\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"acceptenv\",\"children\":[\"$\",\"code\",null,{\"children\":\"acceptEnv\"}],\"level\":3}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"$\",\"p\",null,{\"children\":[\"The host must be running Tailscale v1.76.0 or later to use \",[\"$\",\"code\",null,{\"children\":\"acceptEnv\"}],\".\"]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Specifies the set of allowlisted environment variable names that clients can send to the host using \",[\"$\",\"a\",null,{\"href\":\"https://man.openbsd.org/ssh_config#SendEnv\",\"children\":[\"$\",\"code\",null,{\"children\":\"SendEnv\"}]}],\" or \",[\"$\",\"a\",null,{\"href\":\"https://man.openbsd.org/ssh_config#SetEnv\",\"children\":[\"$\",\"code\",null,{\"children\":\"SetEnv\"}]}],\".\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Values can contain \",[\"$\",\"code\",null,{\"children\":\"*\"}],\" and \",[\"$\",\"code\",null,{\"children\":\"?\"}],\" wildcard characters. \",[\"$\",\"code\",null,{\"children\":\"*\"}],\" matches zero or more characters and \",[\"$\",\"code\",null,{\"children\":\"?\"}],\" matches a single character.\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"acceptenv-examples\",\"children\":[[\"$\",\"code\",null,{\"children\":\"acceptEnv\"}],\" examples\"],\"level\":4}],\"\\n\",[\"$\",\"table\",null,{\"children\":[[\"$\",\"thead\",null,{\"children\":[\"$\",\"tr\",null,{\"children\":[[\"$\",\"th\",null,{\"children\":\"acceptEnv\"}],[\"$\",\"th\",null,{\"children\":\"Permitted\"}],[\"$\",\"th\",null,{\"children\":\"Rejected\"}]]}]}],[\"$\",\"tbody\",null,{\"children\":[[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"*\"}]}],[\"$\",\"td\",null,{\"children\":[[\"$\",\"code\",null,{\"children\":\"FOO_A\"}],\" \",[\"$\",\"code\",null,{\"children\":\"FOO_B\"}],\" \",[\"$\",\"code\",null,{\"children\":\"FOO_OTHER\"}],\" \",[\"$\",\"code\",null,{\"children\":\"BAZ\"}]]}],[\"$\",\"td\",null,{}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"FOO_*\"}]}],[\"$\",\"td\",null,{\"children\":[[\"$\",\"code\",null,{\"children\":\"FOO_A\"}],\" \",[\"$\",\"code\",null,{\"children\":\"FOO_B\"}],\" \",[\"$\",\"code\",null,{\"children\":\"FOO_OTHER\"}]]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"BAZ\"}]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"FOO_?\"}]}],[\"$\",\"td\",null,{\"children\":[[\"$\",\"code\",null,{\"children\":\"FOO_A\"}],\" \",[\"$\",\"code\",null,{\"children\":\"FOO_B\"}]]}],[\"$\",\"td\",null,{\"children\":[[\"$\",\"code\",null,{\"children\":\"FOO_OTHER\"}],\" \",[\"$\",\"code\",null,{\"children\":\"BAZ\"}]]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"FOO_A\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"FOO_A\"}]}],[\"$\",\"td\",null,{\"children\":[[\"$\",\"code\",null,{\"children\":\"FOO_B\"}],\" \",[\"$\",\"code\",null,{\"children\":\"FOO_OTHER\"}],\" \",[\"$\",\"code\",null,{\"children\":\"BAZ\"}]]}]]}]]}]]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"order-of-evaluation\",\"children\":\"Order of evaluation\",\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"Tailscale evaluates SSH access rules using the most restrictive policies first:\"}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":\"Check policies\"}],\"\\n\",[\"$\",\"li\",null,{\"children\":\"Accept policies\"}],\"\\n\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"For example, if you have an access rule allowing the user \",[\"$\",\"code\",null,{\"children\":\"alice@example.com\"}],\" to access a resource with an \",[\"$\",\"code\",null,{\"children\":\"accept\"}],\" rule, and a rule allowing \",[\"$\",\"code\",null,{\"children\":\"group:devops\"}],\" which \",[\"$\",\"code\",null,{\"children\":\"alice@example.com\"}],\" belongs to, to access a resource with a \",[\"$\",\"code\",null,{\"children\":\"check\"}],\" rule, then the \",[\"$\",\"code\",null,{\"children\":\"check\"}],\" rule applies.\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"$\",\"p\",null,{\"children\":[\"Tailnets that have not modified their ACLs have a \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1193/tailscale-ssh/#ssh-access-rules-in-default-acl\",\"children\":\"default SSH policy\"}],\" allowing users to access devices they own using check mode.\"]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"The only types of connections that are allowed are:\"}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[\"From a user to their own devices (as any user, including \",[\"$\",\"code\",null,{\"children\":\"root\"}],\").\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"From a user to a \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1068/tags\",\"children\":\"tagged\"}],\" device (as any user, including \",[\"$\",\"code\",null,{\"children\":\"root\"}],\").\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"From a tagged device to another tagged device (for any tags). An SSH access rule from a tagged device cannot be in \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1193/tailscale-ssh/#configure-tailscale-ssh-with-check-mode\",\"children\":\"check mode\"}],\".\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"From a user to a tagged device that has been \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1084/sharing\",\"children\":\"shared\"}],\" with them, as long as the destination host has Tailscale configured with SSH and the destination’s ACL allows the user to connect over SSH.\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"That is, the broadest policy allowed would be:\"}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"{\\n \\\"acls\\\": [\\n {\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [\\\"*\\\"],\\n \\\"dst\\\": [\\\"*:*\\\"]\\n }\\n ],\\n \\\"ssh\\\": [\\n {\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [\\\"autogroup:member\\\"],\\n \\\"dst\\\": [\\\"autogroup:self\\\"],\\n \\\"users\\\": [\\\"root\\\", \\\"autogroup:nonroot\\\"]\\n },\\n {\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [\\\"autogroup:member\\\"],\\n \\\"dst\\\": [\\\"tag:prod\\\"],\\n \\\"users\\\": [\\\"root\\\", \\\"autogroup:nonroot\\\"]\\n },\\n {\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [\\\"tag:logging\\\"],\\n \\\"dst\\\": [\\\"tag:prod\\\"],\\n \\\"users\\\": [\\\"root\\\", \\\"autogroup:nonroot\\\"]\\n }\\n ]\\n}\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-2\",{\"className\":\"token property\",\"children\":[\"\\\"acls\\\"\"]}],[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-7\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-9\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-12\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-15\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token string\",\"children\":[\"\\\"*\\\"\"]}],[\"$\",\"span\",\"fract-0-20\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-23\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-26\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token string\",\"children\":[\"\\\"*:*\\\"\"]}],[\"$\",\"span\",\"fract-0-28\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-30\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-32\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-33\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-35\",{\"className\":\"token property\",\"children\":[\"\\\"ssh\\\"\"]}],[\"$\",\"span\",\"fract-0-36\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-38\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-40\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-42\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-43\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-45\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-46\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-48\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-49\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-51\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-52\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:member\\\"\"]}],[\"$\",\"span\",\"fract-0-53\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-54\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-56\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-57\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-59\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-60\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:self\\\"\"]}],[\"$\",\"span\",\"fract-0-61\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-62\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-64\",{\"className\":\"token property\",\"children\":[\"\\\"users\\\"\"]}],[\"$\",\"span\",\"fract-0-65\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-67\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-68\",{\"className\":\"token string\",\"children\":[\"\\\"root\\\"\"]}],[\"$\",\"span\",\"fract-0-69\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-71\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:nonroot\\\"\"]}],[\"$\",\"span\",\"fract-0-72\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-74\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-75\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-77\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-79\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-80\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-82\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-83\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-85\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-86\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-88\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-89\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:member\\\"\"]}],[\"$\",\"span\",\"fract-0-90\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-91\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-93\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-94\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-96\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-97\",{\"className\":\"token string\",\"children\":[\"\\\"tag:prod\\\"\"]}],[\"$\",\"span\",\"fract-0-98\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-99\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-101\",{\"className\":\"token property\",\"children\":[\"\\\"users\\\"\"]}],[\"$\",\"span\",\"fract-0-102\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-104\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-105\",{\"className\":\"token string\",\"children\":[\"\\\"root\\\"\"]}],[\"$\",\"span\",\"fract-0-106\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-108\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:nonroot\\\"\"]}],[\"$\",\"span\",\"fract-0-109\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-111\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-112\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-114\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-116\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-117\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-119\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-120\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-122\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-123\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-125\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-126\",{\"className\":\"token string\",\"children\":[\"\\\"tag:logging\\\"\"]}],[\"$\",\"span\",\"fract-0-127\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-128\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-130\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-131\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-133\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-134\",{\"className\":\"token string\",\"children\":[\"\\\"tag:prod\\\"\"]}],[\"$\",\"span\",\"fract-0-135\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-136\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-138\",{\"className\":\"token property\",\"children\":[\"\\\"users\\\"\"]}],[\"$\",\"span\",\"fract-0-139\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-141\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-142\",{\"className\":\"token string\",\"children\":[\"\\\"root\\\"\"]}],[\"$\",\"span\",\"fract-0-143\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-145\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:nonroot\\\"\"]}],[\"$\",\"span\",\"fract-0-146\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-148\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-150\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-152\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"To allow a user to only SSH to their own devices (as non-\",[\"$\",\"code\",null,{\"children\":\"root\"}],\"):\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"{\\n \\\"acls\\\": [\\n {\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [\\\"*\\\"],\\n \\\"dst\\\": [\\\"*:*\\\"]\\n }\\n ],\\n \\\"ssh\\\": [\\n {\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [\\\"autogroup:member\\\"],\\n \\\"dst\\\": [\\\"autogroup:self\\\"],\\n \\\"users\\\": [\\\"autogroup:nonroot\\\"]\\n }\\n ]\\n}\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-2\",{\"className\":\"token property\",\"children\":[\"\\\"acls\\\"\"]}],[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-7\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-9\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-12\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-15\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token string\",\"children\":[\"\\\"*\\\"\"]}],[\"$\",\"span\",\"fract-0-20\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-23\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-26\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token string\",\"children\":[\"\\\"*:*\\\"\"]}],[\"$\",\"span\",\"fract-0-28\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-30\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-32\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-33\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-35\",{\"className\":\"token property\",\"children\":[\"\\\"ssh\\\"\"]}],[\"$\",\"span\",\"fract-0-36\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-38\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-40\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-42\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-43\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-45\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-46\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-48\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-49\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-51\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-52\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:member\\\"\"]}],[\"$\",\"span\",\"fract-0-53\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-54\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-56\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-57\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-59\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-60\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:self\\\"\"]}],[\"$\",\"span\",\"fract-0-61\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-62\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-64\",{\"className\":\"token property\",\"children\":[\"\\\"users\\\"\"]}],[\"$\",\"span\",\"fract-0-65\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-67\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-68\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:nonroot\\\"\"]}],[\"$\",\"span\",\"fract-0-69\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-71\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-73\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-75\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"To allow \",[\"$\",\"code\",null,{\"children\":\"group:sre\"}],\" to access devices in the production environment tagged \",[\"$\",\"code\",null,{\"children\":\"tag:prod\"}],\":\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"{\\n \\\"groups\\\": {\\n \\\"group:sre\\\": [\\\"alice@example.com\\\", \\\"bob@example.com\\\"]\\n },\\n \\\"acls\\\": [\\n {\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [\\\"group:sre\\\"],\\n \\\"dst\\\": [\\\"tag:prod:*\\\"]\\n },\\n ],\\n \\\"ssh\\\": [\\n {\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [\\\"group:sre\\\"],\\n \\\"dst\\\": [\\\"tag:prod\\\"],\\n \\\"users\\\": [\\\"ubuntu\\\", \\\"root\\\"],\\n },\\n ]\\n \\\"tagOwners\\\": {\\n // users in group:sre can apply the tag tag:prod\\n \\\"tag:prod\\\": [\\\"group:sre\\\"]\\n }\\n}\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-2\",{\"className\":\"token property\",\"children\":[\"\\\"groups\\\"\"]}],[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-7\",{\"className\":\"token property\",\"children\":[\"\\\"group:sre\\\"\"]}],[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token string\",\"children\":[\"\\\"alice@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-12\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-14\",{\"className\":\"token string\",\"children\":[\"\\\"bob@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-15\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-17\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-20\",{\"className\":\"token property\",\"children\":[\"\\\"acls\\\"\"]}],[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-23\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-25\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-28\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-30\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-31\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-33\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-34\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-36\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-37\",{\"className\":\"token string\",\"children\":[\"\\\"group:sre\\\"\"]}],[\"$\",\"span\",\"fract-0-38\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-39\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-41\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-42\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-44\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-45\",{\"className\":\"token string\",\"children\":[\"\\\"tag:prod:*\\\"\"]}],[\"$\",\"span\",\"fract-0-46\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-48\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-49\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-51\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-52\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-54\",{\"className\":\"token property\",\"children\":[\"\\\"ssh\\\"\"]}],[\"$\",\"span\",\"fract-0-55\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-57\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-59\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-61\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-62\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-64\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-65\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-67\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-68\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-70\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-71\",{\"className\":\"token string\",\"children\":[\"\\\"group:sre\\\"\"]}],[\"$\",\"span\",\"fract-0-72\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-73\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-75\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-76\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-78\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-79\",{\"className\":\"token string\",\"children\":[\"\\\"tag:prod\\\"\"]}],[\"$\",\"span\",\"fract-0-80\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-81\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-83\",{\"className\":\"token property\",\"children\":[\"\\\"users\\\"\"]}],[\"$\",\"span\",\"fract-0-84\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-86\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-87\",{\"className\":\"token string\",\"children\":[\"\\\"ubuntu\\\"\"]}],[\"$\",\"span\",\"fract-0-88\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-90\",{\"className\":\"token string\",\"children\":[\"\\\"root\\\"\"]}],[\"$\",\"span\",\"fract-0-91\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-92\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-94\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-95\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-97\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-99\",{\"className\":\"token property\",\"children\":[\"\\\"tagOwners\\\"\"]}],[\"$\",\"span\",\"fract-0-100\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-102\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-104\",{\"className\":\"token comment\",\"children\":[\"// users in group:sre can apply the tag tag:prod\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-106\",{\"className\":\"token property\",\"children\":[\"\\\"tag:prod\\\"\"]}],[\"$\",\"span\",\"fract-0-107\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-109\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-110\",{\"className\":\"token string\",\"children\":[\"\\\"group:sre\\\"\"]}],[\"$\",\"span\",\"fract-0-111\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-113\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-115\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"To allow Alice to access devices in the development environment tagged \",[\"$\",\"code\",null,{\"children\":\"tag:dev\"}],\" that have been \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1084/sharing\",\"children\":\"shared\"}],\" with them:\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"{\\n \\\"ssh\\\": [\\n {\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [\\\"alice@example.com\\\"],\\n \\\"dst\\\": [\\\"tag:dev\\\"],\\n \\\"users\\\": [\\\"root\\\", \\\"alice\\\"]\\n },\\n ]\\n}\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-2\",{\"className\":\"token property\",\"children\":[\"\\\"ssh\\\"\"]}],[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-7\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-9\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-12\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-15\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token string\",\"children\":[\"\\\"alice@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-20\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-23\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-26\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token string\",\"children\":[\"\\\"tag:dev\\\"\"]}],[\"$\",\"span\",\"fract-0-28\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-29\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-31\",{\"className\":\"token property\",\"children\":[\"\\\"users\\\"\"]}],[\"$\",\"span\",\"fract-0-32\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-34\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-35\",{\"className\":\"token string\",\"children\":[\"\\\"root\\\"\"]}],[\"$\",\"span\",\"fract-0-36\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-38\",{\"className\":\"token string\",\"children\":[\"\\\"alice\\\"\"]}],[\"$\",\"span\",\"fract-0-39\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-41\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-42\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-44\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-46\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"It might be useful to match host users with login emails. For example, you can allow \",[\"$\",\"code\",null,{\"children\":\"dave@example.com\"}],\" to authenticate as the host user \",[\"$\",\"code\",null,{\"children\":\"dave\"}],\".\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"To allow any tailnet member in the login domain \",[\"$\",\"code\",null,{\"children\":\"example.com\"}],\" to access devices in the production environment that are tagged \",[\"$\",\"code\",null,{\"children\":\"tag:prod\"}],\", as a user that matches their login email local-part:\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"{\\n \\\"acls\\\": [\\n {\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [\\\"user:*@example.com\\\"],\\n \\\"dst\\\": [\\\"tag:prod:*\\\"]\\n }\\n ],\\n \\\"ssh\\\": [\\n {\\n \\\"action\\\": \\\"accept\\\",\\n \\\"src\\\": [\\\"user:*@example.com\\\"],\\n \\\"dst\\\": [\\\"tag:prod\\\"],\\n \\\"users\\\": [\\\"localpart:*@example.com\\\"]\\n }\\n ]\\n}\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-2\",{\"className\":\"token property\",\"children\":[\"\\\"acls\\\"\"]}],[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-7\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-9\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-12\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-15\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token string\",\"children\":[\"\\\"user:*@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-20\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-23\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-26\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token string\",\"children\":[\"\\\"tag:prod:*\\\"\"]}],[\"$\",\"span\",\"fract-0-28\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-30\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-32\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-33\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-35\",{\"className\":\"token property\",\"children\":[\"\\\"ssh\\\"\"]}],[\"$\",\"span\",\"fract-0-36\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-38\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-40\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-42\",{\"className\":\"token property\",\"children\":[\"\\\"action\\\"\"]}],[\"$\",\"span\",\"fract-0-43\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-45\",{\"className\":\"token string\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-46\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-48\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-49\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-51\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-52\",{\"className\":\"token string\",\"children\":[\"\\\"user:*@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-53\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-54\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-56\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-57\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-59\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-60\",{\"className\":\"token string\",\"children\":[\"\\\"tag:prod\\\"\"]}],[\"$\",\"span\",\"fract-0-61\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-62\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-64\",{\"className\":\"token property\",\"children\":[\"\\\"users\\\"\"]}],[\"$\",\"span\",\"fract-0-65\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-67\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-68\",{\"className\":\"token string\",\"children\":[\"\\\"localpart:*@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-69\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-71\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-73\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-75\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"nodeattrs\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"node-attributes\",\"children\":\"Node attributes\",\"level\":2}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"nodeAttrs\"}],\" section of the tailnet policy file defines additional attributes that apply to specific devices in your tailnet. You can use node attributes to set different \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1218/nextdns\",\"children\":\"NextDNS configurations\"}],\" for different devices in your tailnet.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The following example shows a \",[\"$\",\"code\",null,{\"children\":\"nodeAttrs\"}],\" definition that targets \",[\"$\",\"code\",null,{\"children\":\"my-kid@my-home.com\"}],\" and \",[\"$\",\"code\",null,{\"children\":\"tag:server\"}],\" with the attributes \",[\"$\",\"code\",null,{\"children\":\"nextdns:abc123\"}],\" and \",[\"$\",\"code\",null,{\"children\":\"nextdns:no-device-info\"}],\".\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"nodeAttrs\\\": [\\n {\\n \\\"target\\\": [\\\"my-kid@my-home.com\\\", \\\"tag:server\\\"],\\n \\\"attr\\\": [\\n \\\"nextdns:abc123\\\",\\n \\\"nextdns:no-device-info\\\",\\n ],\\n },\\n],\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"nodeAttrs\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-7\",{\"className\":\"token property\",\"children\":[\"\\\"target\\\"\"]}],[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token string\",\"children\":[\"\\\"my-kid@my-home.com\\\"\"]}],[\"$\",\"span\",\"fract-0-12\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-14\",{\"className\":\"token string\",\"children\":[\"\\\"tag:server\\\"\"]}],[\"$\",\"span\",\"fract-0-15\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token property\",\"children\":[\"\\\"attr\\\"\"]}],[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-23\",{\"className\":\"token string\",\"children\":[\"\\\"nextdns:abc123\\\"\"]}],[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-26\",{\"className\":\"token string\",\"children\":[\"\\\"nextdns:no-device-info\\\"\"]}],[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-29\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-30\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-32\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-33\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-35\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-36\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"target\",\"children\":[\"$\",\"code\",null,{\"children\":\"target\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Specifies which nodes (devices) the attributes apply to. You can select the devices using a tag (\",[\"$\",\"code\",null,{\"children\":\"tag:server\"}],\"), user (\",[\"$\",\"code\",null,{\"children\":\"alice@example.com\"}],\"), group (\",[\"$\",\"code\",null,{\"children\":\"group:kids\"}],\"), or \",[\"$\",\"code\",null,{\"children\":\"*\"}],\".\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"attr\",\"children\":[\"$\",\"code\",null,{\"children\":\"attr\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"Specifies which attributes apply to those nodes (devices).\"}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"For example:\"}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[\"The attribute \",[\"$\",\"code\",null,{\"children\":\"nextdns:abc123\"}],\" specifics the NextDNS configuration ID \",[\"$\",\"code\",null,{\"children\":\"abc123\"}],\". If this is used, the attribute overrides the global NextDNS configuration.\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"The attribute \",[\"$\",\"code\",null,{\"children\":\"nextdns:no-device-info\"}],\" disables sending device metadata to NextDNS.\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The following example allows members of the tailnet to use \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1223/funnel\",\"children\":\"Tailscale Funnel\"}],\" on their nodes:\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"nodeAttrs\\\": [\\n {\\n \\\"target\\\": [\\\"autogroup:members\\\"],\\n \\\"attr\\\": [\\\"funnel\\\"],\\n },\\n],\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"nodeAttrs\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-7\",{\"className\":\"token property\",\"children\":[\"\\\"target\\\"\"]}],[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token string\",\"children\":[\"\\\"autogroup:members\\\"\"]}],[\"$\",\"span\",\"fract-0-12\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-15\",{\"className\":\"token property\",\"children\":[\"\\\"attr\\\"\"]}],[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token string\",\"children\":[\"\\\"funnel\\\"\"]}],[\"$\",\"span\",\"fract-0-20\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-23\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-26\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"tests\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"tests\",\"children\":\"Tests\",\"level\":2}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"ACL tests\",\" \",\"are\",\" available for \",[\"$\",\"$L16\",null,{\"href\":\"/pricing\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"all plans\"}],\".\"]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"tests\"}],\" section lets you write assertions about your access rules that run as checks each time the tailnet policy file changes. If an assertion fails, the Tailscale rejects the updated tailnet policy file with an error. The error message indicates the failing tests.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"ACL tests let you ensure you don't accidentally revoke important permissions or expose a critical system.\"}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"A \",[\"$\",\"code\",null,{\"children\":\"tests\"}],\" definition looks like this:\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"tests\\\": [\\n {\\n \\\"src\\\": \\\"dave@example.com\\\",\\n \\\"srcPostureAttrs\\\": {\\n \\\"node:os\\\": \\\"windows\\\",\\n },\\n \\\"proto\\\": \\\"tcp\\\",\\n \\\"accept\\\": [\\\"example-host-1:22\\\", \\\"vega:80\\\"],\\n \\\"deny\\\": [\\\"192.0.2.3:443\\\"],\\n },\\n],\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"tests\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-7\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token string\",\"children\":[\"\\\"dave@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token property\",\"children\":[\"\\\"srcPostureAttrs\\\"\"]}],[\"$\",\"span\",\"fract-0-14\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token property\",\"children\":[\"\\\"node:os\\\"\"]}],[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token string\",\"children\":[\"\\\"windows\\\"\"]}],[\"$\",\"span\",\"fract-0-22\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-25\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token property\",\"children\":[\"\\\"proto\\\"\"]}],[\"$\",\"span\",\"fract-0-28\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-30\",{\"className\":\"token string\",\"children\":[\"\\\"tcp\\\"\"]}],[\"$\",\"span\",\"fract-0-31\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-33\",{\"className\":\"token property\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-34\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-36\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-37\",{\"className\":\"token string\",\"children\":[\"\\\"example-host-1:22\\\"\"]}],[\"$\",\"span\",\"fract-0-38\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\" \",[\"$\",\"span\",\"fract-0-40\",{\"className\":\"token string\",\"children\":[\"\\\"vega:80\\\"\"]}],[\"$\",\"span\",\"fract-0-41\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-42\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-44\",{\"className\":\"token property\",\"children\":[\"\\\"deny\\\"\"]}],[\"$\",\"span\",\"fract-0-45\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-47\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-48\",{\"className\":\"token string\",\"children\":[\"\\\"192.0.2.3:443\\\"\"]}],[\"$\",\"span\",\"fract-0-49\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-50\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-52\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-53\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-55\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-56\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"src-2\",\"children\":[\"$\",\"code\",null,{\"children\":\"src\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Specifies the user identity to test, which can be a \",[\"$\",\"a\",null,{\"href\":\"#reference-users\",\"children\":\"user's email address\"}],\", a \",[\"$\",\"a\",null,{\"href\":\"#groups\",\"children\":\"group\"}],\", a \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1068/tags\",\"children\":\"tag\"}],\", or a \",[\"$\",\"a\",null,{\"href\":\"#hosts\",\"children\":\"host\"}],\" that maps to an IP address. The test case runs from the perspective of a device authenticated with the provided identity.\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"srcpostureattrs\",\"children\":[\"$\",\"code\",null,{\"children\":\"srcPostureAttrs\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Specifies the \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1288/device-posture\",\"children\":\"device posture attributes\"}],\" as key-value pairs to use when evaluating posture conditions in access rules. You only need to use this field if the access rules contain \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1288/device-posture/#device-posture-conditions\",\"children\":\"device posture conditions\"}],\".\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"proto-1\",\"children\":[\"$\",\"code\",null,{\"children\":\"proto\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Specifies the IP protocol for \",[\"$\",\"code\",null,{\"children\":\"accept\"}],\" and \",[\"$\",\"code\",null,{\"children\":\"deny\"}],\" rules, similar to the \",[\"$\",\"code\",null,{\"children\":\"proto\"}],\" field in \",[\"$\",\"a\",null,{\"href\":\"#acls\",\"children\":\"ACL rules\"}],\". When omitted, the test checks for either TCP or UDP access.\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"accept-and-deny-destinations\",\"children\":[[\"$\",\"code\",null,{\"children\":\"accept\"}],\" and \",[\"$\",\"code\",null,{\"children\":\"deny\"}],\" destinations\"],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Specifies destinations to accept or deny. Each destination in the list is of the form \",[\"$\",\"code\",null,{\"children\":\"host:port\"}],\" where \",[\"$\",\"code\",null,{\"children\":\"port\"}],\" is a single numeric port and \",[\"$\",\"code\",null,{\"children\":\"host\"}],\" is one of the following:\"]}],\"\\n\",[\"$\",\"table\",null,{\"className\":\"w-full\",\"children\":[[\"$\",\"thead\",null,{\"children\":[\"$\",\"tr\",null,{\"children\":[[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Type\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Example\"}]}],[\"$\",\"th\",null,{\"children\":[\"$\",\"strong\",null,{\"children\":\"Description\"}]}]]}]}],[\"$\",\"tbody\",null,{\"className\":\"fs-small\",\"children\":[[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"Tailscale IP\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"100.101.102.103\"}]}],[\"$\",\"td\",null,{\"children\":[\"Includes the device with the provided Tailscale IP address. IPv6 addresses must follow the format \",[\"$\",\"code\",null,{\"children\":\"[1:2:3::4]:80\"}],\".\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#hosts\",\"children\":\"Host\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"my-host\"}]}],[\"$\",\"td\",null,{\"children\":[\"Includes the Tailscale IP address in the \",[\"$\",\"code\",null,{\"children\":\"hosts\"}],\" section.\"]}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":\"User\"}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"shreya@example.com\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes the Tailscale IP addresses of devices signed in as the provided user.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"#groups\",\"children\":\"Group\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"group:security@example.com\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes the Tailscale IP addresses of devices signed in as a representative member of the provided group.\"}]]}],[\"$\",\"tr\",null,{\"children\":[[\"$\",\"td\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"/kb/1068/tags\",\"children\":\"Tag\"}]}],[\"$\",\"td\",null,{\"children\":[\"$\",\"code\",null,{\"children\":\"tag:production\"}]}],[\"$\",\"td\",null,{\"children\":\"Includes the Tailscale IP addresses of devices tagged with the provided tag.\"}]]}]]}]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Sources in \",[\"$\",\"code\",null,{\"children\":\"src\"}],\" and destinations in \",[\"$\",\"code\",null,{\"children\":\"accept\"}],\" and \",[\"$\",\"code\",null,{\"children\":\"deny\"}],\" must refer to specific entities and do not support \",[\"$\",\"code\",null,{\"children\":\"*\"}],\" wildcards. For example, an \",[\"$\",\"code\",null,{\"children\":\"accept\"}],\" destination cannot be \",[\"$\",\"code\",null,{\"children\":\"tags:*\"}],\".\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"$\",\"p\",null,{\"children\":[\"The legacy \",[\"$\",\"code\",null,{\"children\":\"allow\"}],\" (instead of \",[\"$\",\"code\",null,{\"children\":\"accept\"}],\") continues to work in ACLs. However, it is best practice to use \",[\"$\",\"code\",null,{\"children\":\"accept\"}],\".\"]}]]}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"sshtests\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"ssh-tests\",\"children\":\"SSH Tests\",\"level\":2}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"SSH tests\",\" \",\"are\",\" available for \",[\"$\",\"$L16\",null,{\"href\":\"/pricing\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"all plans\"}],\".\"]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"sshTests\"}],\" section lets you write assertions about your \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1193/tailscale-ssh\",\"children\":\"Tailscale SSH\"}],\" access rules. SSH tests function similarly to ACL \",[\"$\",\"a\",null,{\"href\":\"#tests\",\"children\":\"tests\"}],\".\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"SSH tests run when the tailnet policy file changes. If an assertion fails, Tailscale rejects the updated tailnet policy file with an error detailing the failing tests.\"}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The following example shows a \",[\"$\",\"code\",null,{\"children\":\"sshTests\"}],\" definition performs the following tests on connections from \",[\"$\",\"code\",null,{\"children\":\"dave@example.com\"}],\" to \",[\"$\",\"code\",null,{\"children\":\"example-host-1\"}],\":\"]}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[\"If the user is \",[\"$\",\"code\",null,{\"children\":\"dave\"}],\", it accepts the connection.\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"If the user is \",[\"$\",\"code\",null,{\"children\":\"admin\"}],\", it checks the connection.\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"If the user is \",[\"$\",\"code\",null,{\"children\":\"root\"}],\", it denies the connection.\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"group relative overflow-hidden\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute right-[5px] top-[21px] flex h-10 w-10 items-center justify-center rounded bg-grey-3 text-black opacity-0 transition-opacity duration-200 group-hover:opacity-100\",\"children\":[\"$\",\"$L2e8\",null,{\"text\":\"\\\"sshTests\\\": [\\n {\\n \\\"src\\\": \\\"dave@example.com\\\",\\n \\\"dst\\\": [\\\"example-host-1\\\"],\\n \\\"accept\\\": [\\\"dave\\\"],\\n \\\"check\\\": [\\\"admin\\\"],\\n \\\"deny\\\": [\\\"root\\\"],\\n },\\n],\\n\"}]}],[\"$\",\"pre\",null,{\"className\":\"refractor language-json\",\"children\":[\"$\",\"code\",null,{\"className\":\"language-json\",\"children\":[[\"$\",\"span\",\"fract-0-0\",{\"className\":\"token property\",\"children\":[\"\\\"sshTests\\\"\"]}],[\"$\",\"span\",\"fract-0-1\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-3\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-5\",{\"className\":\"token punctuation\",\"children\":[\"{\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-7\",{\"className\":\"token property\",\"children\":[\"\\\"src\\\"\"]}],[\"$\",\"span\",\"fract-0-8\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-10\",{\"className\":\"token string\",\"children\":[\"\\\"dave@example.com\\\"\"]}],[\"$\",\"span\",\"fract-0-11\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-13\",{\"className\":\"token property\",\"children\":[\"\\\"dst\\\"\"]}],[\"$\",\"span\",\"fract-0-14\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-16\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-17\",{\"className\":\"token string\",\"children\":[\"\\\"example-host-1\\\"\"]}],[\"$\",\"span\",\"fract-0-18\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-19\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-21\",{\"className\":\"token property\",\"children\":[\"\\\"accept\\\"\"]}],[\"$\",\"span\",\"fract-0-22\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-24\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-25\",{\"className\":\"token string\",\"children\":[\"\\\"dave\\\"\"]}],[\"$\",\"span\",\"fract-0-26\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-27\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-29\",{\"className\":\"token property\",\"children\":[\"\\\"check\\\"\"]}],[\"$\",\"span\",\"fract-0-30\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-32\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-33\",{\"className\":\"token string\",\"children\":[\"\\\"admin\\\"\"]}],[\"$\",\"span\",\"fract-0-34\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-35\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-37\",{\"className\":\"token property\",\"children\":[\"\\\"deny\\\"\"]}],[\"$\",\"span\",\"fract-0-38\",{\"className\":\"token operator\",\"children\":[\":\"]}],\" \",[\"$\",\"span\",\"fract-0-40\",{\"className\":\"token punctuation\",\"children\":[\"[\"]}],[\"$\",\"span\",\"fract-0-41\",{\"className\":\"token string\",\"children\":[\"\\\"root\\\"\"]}],[\"$\",\"span\",\"fract-0-42\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-43\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n \",[\"$\",\"span\",\"fract-0-45\",{\"className\":\"token punctuation\",\"children\":[\"}\"]}],[\"$\",\"span\",\"fract-0-46\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\",[\"$\",\"span\",\"fract-0-48\",{\"className\":\"token punctuation\",\"children\":[\"]\"]}],[\"$\",\"span\",\"fract-0-49\",{\"className\":\"token punctuation\",\"children\":[\",\"]}],\"\\n\"]}]}]]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"src-3\",\"children\":[\"$\",\"code\",null,{\"children\":\"src\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Specifies the user identity that's attempting to connect as SSH, which can be a \",[\"$\",\"a\",null,{\"href\":\"#reference-users\",\"children\":\"user's email address\"}],\", a \",[\"$\",\"a\",null,{\"href\":\"#groups\",\"children\":\"group\"}],\", a \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1068/tags\",\"children\":\"tag\"}],\", or a \",[\"$\",\"a\",null,{\"href\":\"#hosts\",\"children\":\"host\"}],\" that maps to an IP address. The test case runs from the perspective of a device authenticated with the provided identity.\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"dst-2\",\"children\":[\"$\",\"code\",null,{\"children\":\"dst\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Specifies one or more destinations to which the \",[\"$\",\"code\",null,{\"children\":\"src\"}],\" user is connecting, which can be a \",[\"$\",\"a\",null,{\"href\":\"#reference-users\",\"children\":\"user's email address\"}],\", a \",[\"$\",\"a\",null,{\"href\":\"#groups\",\"children\":\"group\"}],\", a \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1068/tags\",\"children\":\"tag\"}],\", or a \",[\"$\",\"a\",null,{\"href\":\"#hosts\",\"children\":\"host\"}],\" that maps to an IP address.\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"accept\",\"children\":[\"$\",\"code\",null,{\"children\":\"accept\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Specifies zero, one, or more usernames to disallow on the \",[\"$\",\"code\",null,{\"children\":\"dst\"}],\" host without requiring an additional check. Refer to \",[\"$\",\"a\",null,{\"href\":\"#action-1\",\"children\":[\"action \",[\"$\",\"code\",null,{\"children\":\"accept\"}]]}],\".\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"check\",\"children\":[\"$\",\"code\",null,{\"children\":\"check\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Specifies zero, one, or more usernames to disallow on the \",[\"$\",\"code\",null,{\"children\":\"dst\"}],\" host if the \",[\"$\",\"code\",null,{\"children\":\"src\"}],\" user passes an additional check. Refer to \",[\"$\",\"a\",null,{\"href\":\"#action-1\",\"children\":[\"action \",[\"$\",\"code\",null,{\"children\":\"check\"}]]}],\".\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"deny\",\"children\":[\"$\",\"code\",null,{\"children\":\"deny\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Specifies zero, one, or more usernames to disallow on the \",[\"$\",\"code\",null,{\"children\":\"dst\"}],\" host (under any circumstances).\"]}],\"\\n\",[\"$\",\"span\",null,{\"id\":\"ipsets\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"ip-sets\",\"children\":\"IP sets\",\"level\":2}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"An IP set is a way to manage groups of IP addresses. It can encapsulate a collection of IP addresses, CIDRs, hosts, autogroups, and other IP sets. The primary benefit of IP sets is that they let you group multiple network parts into a single collection, enabling you to apply access control policies to the collection rather than the individual IP addresses, hosts, or subnets.\"}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"Refer to the \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1387/ipsets\",\"children\":\"IP sets documentation\"}],\".\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"network-policy-options\",\"children\":\"Network policy options\",\"level\":2}],\"\\n\",[\"$\",\"div\",null,{\"className\":\"note border-grey-200 relative mt-4 rounded border border-solid pb-2 pl-9 pr-3 pt-3 text-base leading-normal tracking-tight md:text-sm\",\"children\":[[\"$\",\"span\",null,{\"className\":\"absolute left-3 top-3 inline-block h-[18px] w-[18px]\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"18px\",\"height\":\"18px\",\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"children\":[[\"$\",\"circle\",null,{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"16\",\"x2\":\"12\",\"y2\":\"12\"}],[\"$\",\"line\",null,{\"x1\":\"12\",\"y1\":\"8\",\"x2\":\"12.01\",\"y2\":\"8\"}]]}]}],[\"Network policy options\",\" \",\"are\",\" available for \",[\"$\",\"$L16\",null,{\"href\":\"/pricing\",\"className\":\"!font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 hover:!text-blue-700 hover:!decoration-blue-500 focus-visible:no-underline\",\"children\":\"all plans\"}],\".\"]]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"In addition to access rules, the tailnet policy file includes a few network-wide policy settings for specialized purposes. Most networks should never need to specify these.\"}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"derpmap\",\"children\":[\"$\",\"code\",null,{\"children\":\"derpMap\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"derpMap\"}],\" section lets you add \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1118/custom-derp-servers\",\"children\":\"custom DERP `servers\"}],\" to your network, which your devices will use as needed to relay traffic. You can also use this section to disable using Tailscale-provided DERP servers. For example, you might want to disable tailnet-provided DERP servers to meet corporate compliance requirements. Refer to \",[\"$\",\"$L16\",null,{\"href\":\"/kb/1118/custom-derp-servers\",\"children\":\"running custom DERP servers\"}],\" for more information.\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"disableipv4\",\"children\":[\"$\",\"code\",null,{\"children\":\"disableIPv4\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"disableIPv4\"}],\" field (if set to \",[\"$\",\"code\",null,{\"children\":\"true\"}],\") stops assigning Tailscale IPv4 addresses to your devices. When IPv4 is disabled, all devices in your network receive exclusively IPv6 Tailscale addresses. Devices that do not support IPv6 (for example, systems that have IPv6 disabled in the operating system) will be unreachable. This option is intended for users with a pre-existing conflicting use of the \",[\"$\",\"code\",null,{\"children\":\"100.64.0.0/10\"}],\" carrier-grade NAT address range.\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"onecgnatroute\",\"children\":[\"$\",\"code\",null,{\"children\":\"OneCGNATRoute\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"OneCGNATRoute\"}],\" field controls the routes that Tailscale clients generate.\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":\"Tailscale clients can have either:\"}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[\"One large \",[\"$\",\"code\",null,{\"children\":\"100.64/10\"}],\" route to avoid churn in the routing table as devices go online and offline. (The churn is \",[\"$\",\"a\",null,{\"href\":\"https://bugs.chromium.org/p/chromium/issues/detail?id=1076619\",\"children\":\"disruptive\"}],\" to Chromium-based browsers on macOS.)\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"Fine-grained \",[\"$\",\"code\",null,{\"children\":\"/32\"}],\" routes.\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The possible values for \",[\"$\",\"code\",null,{\"children\":\"OneCGNATRoute\"}],\" are:\"]}],\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[\"An empty string or not provided: Use default heuristics for each platform.\",\"\\n\",[\"$\",\"ul\",null,{\"children\":[\"\\n\",[\"$\",\"li\",null,{\"children\":[\"For all platforms (other than macOS), Tailscale adds fine-grained \",[\"$\",\"code\",null,{\"children\":\"/32\"}],\" routes for each device.\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[\"On macOS (for Tailscale v1.28 or later), Tailscale adds one \",[\"$\",\"code\",null,{\"children\":\"100.64/10\"}],\" route. Tailscale won't use one \",[\"$\",\"code\",null,{\"children\":\"100.64/10\"}],\" route if other interfaces also route IP addresses in that range.\"]}],\"\\n\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[[\"$\",\"code\",null,{\"children\":\"\\\"mac-always\\\"\"}],\": macOS clients always add one \",[\"$\",\"code\",null,{\"children\":\"100.64/10\"}],\" route.\"]}],\"\\n\",[\"$\",\"li\",null,{\"children\":[[\"$\",\"code\",null,{\"children\":\"\\\"mac-never\\\"\"}],\": macOS clients always add fine-grained \",[\"$\",\"code\",null,{\"children\":\"/32\"}],\" routes.\"]}],\"\\n\"]}],\"\\n\",[\"$\",\"$L2e7\",null,{\"id\":\"randomizeclientport\",\"children\":[\"$\",\"code\",null,{\"children\":\"randomizeClientPort\"}],\"level\":3}],\"\\n\",[\"$\",\"p\",null,{\"children\":[\"The \",[\"$\",\"code\",null,{\"children\":\"randomizeClientPort\"}],\" field (if set to \",[\"$\",\"code\",null,{\"children\":\"true\"}],\") makes devices prefer a random port for WireGuard traffic over the default static port \",[\"$\",\"code\",null,{\"children\":\"41641\"}],\". You should only use the \",[\"$\",\"code\",null,{\"children\":\"randomizeClientPort\"}],\" field as a workaround for some buggy firewall devices after consulting with Tailscale (\",[\"$\",\"$L16\",null,{\"href\":\"/contact/support\",\"children\":\"support\"}],\").\"]}]]}]}]}]]}],[\"$\",\"p\",null,{\"className\":\"mt-6 text-sm leading-snug text-gray-600\",\"children\":[\"Last updated \",\"Feb 24, 2025\"]}]]}]}],[\"$\",\"aside\",null,{\"className\":\"js-docHighlight col-span-10 h-full pb-8 md:col-span-8 md:col-start-4 xl:col-span-2 xl:col-start-auto\",\"children\":[\"$\",\"div\",null,{\"className\":\"sticky top-16 flex flex-col gap-8\",\"children\":[[\"$\",\"$L2eb\",null,{\"data\":[{\"id\":\"access-rules\",\"text\":\"Access rules\",\"level\":2},{\"id\":\"action\",\"text\":\"action\",\"level\":3},{\"id\":\"src\",\"text\":\"src\",\"level\":3},{\"id\":\"proto\",\"text\":\"proto\",\"level\":3},{\"id\":\"dst\",\"text\":\"dst\",\"level\":3},{\"id\":\"subnet-routers-and-exit-nodes\",\"text\":\"Subnet routers and exit nodes\",\"level\":3},{\"id\":\"taildrop-precedence\",\"text\":\"Taildrop precedence\",\"level\":3},{\"id\":\"grants\",\"text\":\"Grants\",\"level\":2},{\"id\":\"reference-users\",\"text\":\"Reference users\",\"level\":2},{\"id\":\"autogroups\",\"text\":\"Autogroups\",\"level\":2},{\"id\":\"domain-based-autogroups\",\"text\":\"Domain based autogroups\",\"level\":3},{\"id\":\"groups\",\"text\":\"Groups\",\"level\":2},{\"id\":\"edit-a-users-group-membership-from-the-users-page\",\"text\":\"Edit a user's group membership from the Users page\",\"level\":3},{\"id\":\"provisioned-groups\",\"text\":\"Provisioned groups\",\"level\":3},{\"id\":\"reference-multiple-devices\",\"text\":\"Reference multiple devices\",\"level\":2},{\"id\":\"tags\",\"text\":\"Tags\",\"level\":3},{\"id\":\"hosts\",\"text\":\"Hosts\",\"level\":3},{\"id\":\"postures\",\"text\":\"Postures\",\"level\":2},{\"id\":\"tag-owners\",\"text\":\"Tag owners\",\"level\":2},{\"id\":\"auto-approvers\",\"text\":\"Auto approvers\",\"level\":2},{\"id\":\"tailscale-ssh\",\"text\":\"Tailscale SSH\",\"level\":2},{\"id\":\"action-1\",\"text\":\"action\",\"level\":3},{\"id\":\"src-1\",\"text\":\"src\",\"level\":3},{\"id\":\"dst-1\",\"text\":\"dst\",\"level\":3},{\"id\":\"users\",\"text\":\"users\",\"level\":3},{\"id\":\"checkperiod\",\"text\":\"checkPeriod\",\"level\":3},{\"id\":\"acceptenv\",\"text\":\"acceptEnv\",\"level\":3},{\"id\":\"acceptenv-examples\",\"text\":\"acceptEnv examples\",\"level\":4},{\"id\":\"order-of-evaluation\",\"text\":\"Order of evaluation\",\"level\":3},{\"id\":\"node-attributes\",\"text\":\"Node attributes\",\"level\":2},{\"id\":\"target\",\"text\":\"target\",\"level\":3},{\"id\":\"attr\",\"text\":\"attr\",\"level\":3},{\"id\":\"tests\",\"text\":\"Tests\",\"level\":2},{\"id\":\"src-2\",\"text\":\"src\",\"level\":3},{\"id\":\"srcpostureattrs\",\"text\":\"srcPostureAttrs\",\"level\":3},{\"id\":\"proto-1\",\"text\":\"proto\",\"level\":3},{\"id\":\"accept-and-deny-destinations\",\"text\":\"accept and deny destinations\",\"level\":3},{\"id\":\"ssh-tests\",\"text\":\"SSH Tests\",\"level\":2},{\"id\":\"src-3\",\"text\":\"src\",\"level\":3},{\"id\":\"dst-2\",\"text\":\"dst\",\"level\":3},{\"id\":\"accept\",\"text\":\"accept\",\"level\":3},{\"id\":\"check\",\"text\":\"check\",\"level\":3},{\"id\":\"deny\",\"text\":\"deny\",\"level\":3},{\"id\":\"ip-sets\",\"text\":\"IP sets\",\"level\":2},{\"id\":\"network-policy-options\",\"text\":\"Network policy options\",\"level\":2},{\"id\":\"derpmap\",\"text\":\"derpMap\",\"level\":3},{\"id\":\"disableipv4\",\"text\":\"disableIPv4\",\"level\":3},{\"id\":\"onecgnatroute\",\"text\":\"OneCGNATRoute\",\"level\":3},{\"id\":\"randomizeclientport\",\"text\":\"randomizeClientPort\",\"level\":3}]}],[\"$\",\"div\",null,{\"className\":\"flex flex-col gap-2\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tracking-wider text-xs font-semibold uppercase\",\"children\":\"Related Pages\"}],[\"$\",\"ul\",null,{\"className\":\"flex flex-col gap-1 leading-tight\",\"children\":[[\"$\",\"li\",null,{\"children\":[[\"$\",\"$L16\",null,{\"href\":\"/kb/1018/acls\",\"className\":\"text-sm !text-gray-500 transition-colors hover:!text-gray-900\",\"onClick\":\"$undefined\",\"children\":\"Manage permissions using ACLs\"}],\"$undefined\"]}],[\"$\",\"li\",null,{\"children\":[[\"$\",\"$L16\",null,{\"href\":\"/kb/1068/tags\",\"className\":\"text-sm !text-gray-500 transition-colors hover:!text-gray-900\",\"onClick\":\"$undefined\",\"children\":\"Group devices with tags\"}],\"$undefined\"]}],[\"$\",\"li\",null,{\"children\":[[\"$\",\"$L16\",null,{\"href\":\"/kb/1072/client-preferences\",\"className\":\"text-sm !text-gray-500 transition-colors hover:!text-gray-900\",\"onClick\":\"$undefined\",\"children\":\"Manage client preferences\"}],\"$undefined\"]}],[\"$\",\"li\",null,{\"children\":[[\"$\",\"$L16\",null,{\"href\":\"/kb/1099/device-approval\",\"className\":\"text-sm !text-gray-500 transition-colors hover:!text-gray-900\",\"onClick\":\"$undefined\",\"children\":\"Device approval\"}],\"$undefined\"]}],[\"$\",\"li\",null,{\"children\":[[\"$\",\"$L16\",null,{\"href\":\"/kb/1192/acl-samples\",\"className\":\"text-sm !text-gray-500 transition-colors hover:!text-gray-900\",\"onClick\":\"$undefined\",\"children\":\"ACL policy samples\"}],\"$undefined\"]}]]}]]}]]}]}]]}]\n"])</script><script>self.__next_f.push([1,"2e9:[\"$\",\"a\",null,{\"href\":\"/kb/1324/grants\",\"data-result-id\":\"$undefined\",\"className\":\"not-prose group relative flex rounded-md p-2 text-base transition-all hover:bg-blue-100\",\"children\":[[\"$\",\"svg\",null,{\"className\":\"icon relative -top-px mr-2 inline-block h-auto stroke-blue-500 group-hover:stroke-blue-700\",\"style\":{\"flex\":\"0 0 1.35rem\"},\"children\":[\"$\",\"use\",null,{\"href\":\"/files/images/marketing/icons.svg#file-text\"}]}],[\"$\",\"div\",null,{\"children\":[[\"$\",\"h4\",null,{\"className\":\"stretched-link m-0 flex !text-base !font-medium !text-blue-500 underline decoration-blue-50 underline-offset-4 transition-colors hover:decoration-blue-500 focus-visible:no-underline group-hover:!text-blue-700\",\"dangerouslySetInnerHTML\":{\"__html\":\"Learn more about grants\"}}],[\"$\",\"p\",null,{\"className\":\"!text-base text-gray-600 group-hover:text-gray-700\",\"dangerouslySetInnerHTML\":{\"__html\":\"Learn how to grant capabilities at the network and application layers.\"}}]]}]]}]\n"])</script></body></html>